A important Atlassian Confluence vulnerability that was disclosed final week is now being actively exploited within the wild, researchers are warning.
In response to researchers at Rapid7, the bug in query (CVE-2022-26138, certainly one of three patched final week) is because of a hardcoded password within the Questions for Confluence app, which might enable cyberattackers to realize full entry to information throughout the on-premises Confluence Server and Confluence Knowledge Middle platforms.
Extra particularly, as soon as put in, the Questions for Confluence app will “create a consumer account with a hard-coded password and add the account to a consumer group, which permits entry to all nonrestricted pages in Confluence,” in line with Rapid7’s posting. “This simply permits a distant, unauthenticated attacker to browse a company’s Confluence occasion.”
The stakes are excessive. Many organizations use Confluence for challenge administration and collaboration amongst groups scattered throughout on-premises and distant places. Usually Confluence environments can home delicate information on tasks that a company is perhaps engaged on, or home it on its clients and companions.
Organizations are urged to patch rapidly as a result of the password was made public final week, prompting emergency motion by Atlassian. Confluence is sadly a well-liked goal for attackers, as evidenced by the lively exploitation of the bug tracked as CVE-2022-26134 in June, used to unfold ransomware.
Admins ought to notice: The bug solely exists when the Questions for Confluence app is enabled, and it doesn’t influence the Confluence Cloud occasion. Nevertheless, crucially, “uninstalling the Questions for Confluence app doesn’t remediate this vulnerability,” in line with Atlassian’s advisory final week.
“Confluence has had no scarcity of headlines,” Rick Holland, CISO at Digital Shadows, stated by way of e-mail. “Hardcoded passwords considerably improve the chance of exploitation, particularly when the passwords grow to be broadly shared. When you play soccer, hardcoded passwords are ‘personal objectives.’ Adversaries rating sufficient objectives alone; we need not put the ball in our personal web. By no means use hardcoded passwords; take the time to arrange correct authentication and reduce future dangers.”
