Atlassian on Thursday urged organizations utilizing its Questions for Confluence app to right away replace to the newest model of the software program or to use a mitigation measure to guard in opposition to a important vulnerability within the product — considered one of three important bugs disclosed by the seller this week.
The “patch now” recommendation was prompted by the general public disclosure of a hardcoded password related to the Questions app that provides a distant, unauthenticated attacker a technique to log into Confluence and entry all content material within the broader confluence-users group.
Many organizations use Confluence for mission administration and collaboration amongst groups scattered throughout on-premises and distant areas. Typically Confluence environments can home delicate knowledge on tasks that a company is perhaps engaged on, or on its clients and companions.
The Questions app in the meantime permits for a Q&A/crowdsourcing perform inside a given workspace.
The issue primarily impacts organizations utilizing Questions for Confluence Server and Knowledge Middle variations 2.7.34, 2.7.35, and three.0.2 of the app. Nevertheless, even organizations utilizing different variations of Confluence might doubtlessly be affected, Atlassian stated. The vulnerability doesn’t have an effect on the Questions for Confluence app for Confluence Cloud.
Bracing for Exploits
“The difficulty is prone to be exploited within the wild now that the hardcoded password is publicly identified,” Atlassian warned. “This vulnerability (CVE-2022-26138) ought to be remediated on affected techniques instantly,” the seller stated.
Atlassian disclosed the bug on Wednesday. The corporate described the problem as ensuing from a Confluence person account that’s created when the Questions for Confluence app is enabled both on Confluence Knowledge Middle or Confluence Server. The person account — with the username “disabledsystemuser” — is designed to assist directors migrating knowledge from these apps to Confluence Cloud.
However the account is created with a hardcoded password that’s added to the confluence-users group. This enables attackers to view and edit all non-restricted pages inside the Confluence user-group by default, in response to Atlassian. So, any attacker with data of the password can log in remotely to the Confluence collaboration surroundings and entry no matter content material different customers within the group can entry, the software program vendor stated.
Quickly after Atlassian’s advisory Wednesday, a safety researcher revealed the hardcoded password on Twitter, prompting Atlassian’s pressing replace Thursday.
The corporate’s advisory offered particulars on how organizations can decide if they’re affected by the vulnerability or may need already been compromised by way of an exploit concentrating on the flaw. Atlassian urged organizations to replace to variations 2.7.38 or 3.0.5 of the software program or to disable or delete the disabledsystemuser account.
Importantly, merely uninstalling the Questions for Confluence utility wouldn’t remediate in opposition to the vulnerability as a result of the disabledsystemuser account would nonetheless stay in place after the app is eliminated, Atlassian warned.
Two Different Important Vulnerabilities
The opposite two important vulnerabilities that had been disclosed (CVE-2022-26136
and CVE-2022-26137) exist in a number of variations of virtually all Atlassian merchandise. These embrace Bamboo Server and Knowledge Middle, Bitbucket Server and Knowledge Middle, Confluence Server and Knowledge Middle, Crowd Server and Knowledge Middle, Jira Server and Knowledge Middle, and Jira Service Administration Server and Knowledge Middle.
CVE-2022-26136 is an authentication-bypass vulnerability in Java code referred to as Servlet Filter for intercepting and processing HTTP requests from and to a shopper and a backend system. The vulnerability provides attackers a manner to make use of a specifically crafted HTTP request to bypass Servlet Filters that third-party apps may use to implement authentication.
The identical vulnerability additionally permits attackers to make use of specifically crafted HTTP requests to trick customers into executing arbitrary JavaScript within the person’s browser.
Atlassian stated it had been capable of verify such assaults are potential however has nonetheless not been capable of decide all third-party apps that is perhaps affected by the problem.
The flaw tracked as CVE-2022-26137 additionally exists in Servlet Filter and offers distant, unauthenticated attackers a technique to entry weak functions by utilizing a specifically crafted HTTP request to trick customers into requesting a malicious URL. Atlassian has launched up to date variations of its software program for all affected merchandise to deal with these vulnerabilities.
Atlassian’s Ongoing Cybersecurity Woes
The most recent flaws mark the second time prior to now two months that organizations utilizing Atlassian’s expertise have been pressured to scramble to repair severe flaws in its merchandise.
In early June, the corporate disclosed a important distant code-execution vulnerability (RCE) impacting all supported variations of Confluence Server and Knowledge Middle. The bug (CVE-2022-26134) gave unauthenticated attackers a technique to drop a Internet shell on affected techniques. It generated appreciable concern as a result of risk actors had already begun exploiting it by the point the corporate issued a repair for it.
Attackers rapidly started actively exploiting the flaw to distribute quite a lot of malware, together with Mirai bot variants, cryptominers, ransomware and the Cobalt Strike post-exploit assault equipment. Most of the assaults had been automated in nature.
An evaluation by Barracuda confirmed that 45% of makes an attempt to take advantage of the vulnerability had been from Russia-based IP addresses; 25% % of the exploit assaults had been from the US; and 11% originated from IP addresses in India.
