Atlassian: Confluence Hardcoded Password was Leaked, Patch Now!
One day after releasing security updates to address the vulnerability (tracked as CVE-2022-26138), Atlassian warned admins to patch their servers as soon as possible, given that the hardcoded password had been found and shared online.
“An external party has discovered and publicly disclosed the hardcoded password on Twitter. It is important to remediate this vulnerability on affected systems immediately.” the company warned Thursday.
“This issue is likely to be exploited in the wild now that the hardcoded password is publicly known.”
Also Read: The 11 obligations under PDPA and data protection
The warning is both timely and necessary because threat actors equipped with this knowledge could use it to log into vulnerable Confluence servers and access pages the confluence-users group has access to.
Also, this is no surprise as Atlassian had already alerted users that the password was” trivial to obtain after downloading and reviewing affected versions of the app.”
Patching and checking for evidence of exploitation
To defend against potential attacks, Atlassian recommends updating to a patched version of Questions for Confluence or disabling/deleting the disabledsystemuser account.
Updating the Questions for Confluence app to a fixed version (versions 2.7.x >= 2.7.38 or versions greater than 3.0.5) will remove the problematic user account if present.
Also Read: Knowing the basics of cybersecurity
If you want to determine if a server is affected by this hardcoded credentials security flaw, you have to check for an active user account with the following info:
- User: disabledsystemuser
- Username: disabledsystemuser
- Email: firstname.lastname@example.org
To look for evidence of exploitation, you can check the last authentication time for disabledsystemuser using the following instructions. If the result is null, the account exists on the system, but no one has yet signed in using it.
It’s also important to mention that uninstalling the Questions for Confluence app on affected servers will not remove the attack vector (i.e., the hardcoded credentials) and the unpatched systems will remain exposed to attacks.
Confluence servers are attractive targets for threat actors, as shown by previous attacks with Linux botnet malware, AvosLocker and Cerber2021 ransomware, and crypto miners.