Atlassian on Thursday urged organizations utilizing its Questions for Confluence app to right away replace to the newest model of the software program or to use a mitigation measure to guard towards a vital vulnerability within the product — considered one of three vital bugs disclosed by the seller this week.
The “patch now” recommendation was prompted by the general public disclosure of a hardcoded password related to the Questions app that offers a distant, unauthenticated attacker a technique to log into Confluence and entry all content material within the broader
Many organizations use Confluence for undertaking administration and collaboration amongst groups scattered throughout on-premises and distant places. Usually Confluence environments can home delicate knowledge on tasks that a company may be engaged on, or on its prospects and companions.
The Questions app in the meantime permits for a Q&A/crowdsourcing operate inside a given workspace.
The issue primarily impacts organizations utilizing Questions for Confluence Server and Information Middle variations 2.7.34, 2.7.35, and three.0.2 of the app. Nonetheless, even organizations utilizing different variations of Confluence might doubtlessly be affected, Atlassian stated. The vulnerability doesn’t have an effect on the Questions for Confluence app for Confluence Cloud.
Bracing for Exploits
“The difficulty is more likely to be exploited within the wild now that the hardcoded password is publicly identified,” Atlassian warned. “This vulnerability (CVE-2022-26138) needs to be remediated on affected methods instantly,” the seller stated.
Atlassian disclosed the bug on Wednesday. The corporate described the difficulty as ensuing from a Confluence person account that’s created when the Questions for Confluence app is enabled both on Confluence Information Middle or Confluence Server. The person account — with the username “
disabledsystemuser” — is designed to assist directors migrating knowledge from these apps to Confluence Cloud.
However the account is created with a hardcoded password that’s added to the
confluence-users group. This enables attackers to view and edit all non-restricted pages throughout the Confluence user-group by default, based on Atlassian. So, any attacker with information of the password can log in remotely to the Confluence collaboration surroundings and entry no matter content material different customers within the group can entry, the software program vendor stated.
Quickly after Atlassian’s advisory Wednesday, a safety researcher revealed the hardcoded password on Twitter, prompting Atlassian’s pressing replace Thursday.
The corporate’s advisory offered particulars on how organizations can decide if they’re affected by the vulnerability or may need already been compromised through an exploit concentrating on the flaw. Atlassian urged organizations to replace to variations 2.7.38 or 3.0.5 of the software program or to disable or delete the disabledsystemuser account.
Importantly, merely uninstalling the Questions for Confluence utility wouldn’t remediate towards the vulnerability as a result of the disabledsystemuser account would nonetheless stay in place after the app is eliminated, Atlassian warned.
Two Different Essential Vulnerabilities
The opposite two vital vulnerabilities that have been disclosed (CVE-2022-26136
and CVE-2022-26137) exist in a number of variations of virtually all Atlassian merchandise. These embrace Bamboo Server and Information Middle, Bitbucket Server and Information Middle, Confluence Server and Information Middle, Crowd Server and Information Middle, Jira Server and Information Middle, and Jira Service Administration Server and Information Middle.
CVE-2022-26136 is an authentication-bypass vulnerability in Java code known as Servlet Filter for intercepting and processing HTTP requests from and to a consumer and a backend system. The vulnerability provides attackers a approach to make use of a specifically crafted HTTP request to bypass Servlet Filters that third-party apps would possibly use to implement authentication.
Atlassian stated it had been in a position to affirm such assaults are doable however has nonetheless not been in a position to decide all third-party apps that may be affected by the difficulty.
The flaw tracked as CVE-2022-26137 additionally exists in Servlet Filter and provides distant, unauthenticated attackers a technique to entry weak purposes by utilizing a specifically crafted HTTP request to trick customers into requesting a malicious URL. Atlassian has launched up to date variations of its software program for all affected merchandise to deal with these vulnerabilities.
Atlassian’s Ongoing Cybersecurity Woes
The newest flaws mark the second time previously two months that organizations utilizing Atlassian’s know-how have been pressured to scramble to repair critical flaws in its merchandise.
In early June, the corporate disclosed a vital distant code-execution vulnerability (RCE) impacting all supported variations of Confluence Server and Information Middle. The bug (CVE-2022-26134) gave unauthenticated attackers a technique to drop a Internet shell on affected methods. It generated appreciable concern as a result of menace actors had already begun exploiting it by the point the corporate issued a repair for it.
Attackers shortly started actively exploiting the flaw to distribute a wide range of malware, together with Mirai bot variants, cryptominers, ransomware and the Cobalt Strike post-exploit assault package. Lots of the assaults have been automated in nature.
An evaluation by Barracuda confirmed that 45% of makes an attempt to take advantage of the vulnerability have been from Russia-based IP addresses; 25% p.c of the exploit assaults have been from the US; and 11% originated from IP addresses in India.