Qualys Inc.

08/17/2022 | News release | Distributed by Public on 08/17/2022 04:15

Atlassian Confluence : Questions for Confluence App – Hardcoded Credentials (CVE-2022-26138)

Over the last few months, Atlassian Confluence is increasingly a target for attackers. In June'22, we saw CVE-2022-26134 a Critical severity OGNL Remote Code Execution vulnerability. Recently in the last week of July'22, CVE-2022-26138 was disclosed on social media platforms.

In CVE-2022-26138, a Confluence user account is created by Questions for Confluence app with hardcoded credentials stored inside the plugin jar file available on Atlassian packages. An attacker with knowledge of these credentials could log into Confluence application and access all the contents within confluence-users group. Atlassian has rated the vulnerability critical and highlighted the vulnerability being exploited in the wild.

Due to its nature the vulnerability, it can only be remotely verified by logging into the Confluence application with the hardcoded credentials. Traditional open-source scanners and scripts are checking for Location HTTP response header and 302 status code to verify the credentials, which could result in false-positives. Qualys Web Application scanning has released QID 150556 which confirms the vulnerability detection in two steps. The detection takes an additional step to verify the valid credentials by navigating to the user profile page and verifying the correct page is returned. This check is much more efficient in comparison to open-source scanners and eliminates any possibility of false-positives.

About CVE-2022-26138

According to Questions for Confluence Security advisory, Confluence Server and Confluence Data Center products using affected versions of Questions for Confluence app are impacted by CVE-2022-26138.

Affected versions :

Questions for Confluence 2.7.x 2.7.34
2.7.35
Questions for Confluence 3.0.x 3.0.2

Hardcoded Credentials vulnerability

Affected versions of Questions for Confluence app when installed on a Confluence application creates a user account with username disabledsystemuser and password disabled1system1user6708 and the account is added to confluence-users group, which allows viewing and editing all non-restricted pages within Confluence by default. A remote attacker can easily leverage these credentials to browse sensitive contents within Confluence application.

These hardcoded credentials are stored in default.properties file inside confluence-questions-X.X.X.jarfile.

Detecting the Vulnerability with Qualys WAS

Customers can detect CVE-2022-26138 on target Confluence instance with Qualys Web Application Scanning using the following QID :

  • 150556 : Atlassian Confluence Server and Data Center : Questions for Confluence App - Hardcoded Credentials (CVE-2022-26138)

The QID is part of the core category. A vulnerability scan with core or custom search list including the QID in the options profile will flag the vulnerable applications.

Qualys WAS Report

Once the vulnerability is successfully detected by WAS, user shall see similar results in vulnerability scan report:

Solution & Mitigation

To remediate this vulnerability, Organizations using Questions for Confluence app are advised to ensure the following :

  • Upgrade to version 2.7.x >= 2.7.38 (compatible with Confluence 6.13.18 through 7.16.2) and Versions >= 3.0.5 (compatible with Confluence 7.16.3 and later).
  • Disable or delete the disabledsystemuser account

Please note that uninstalling the Questions for Confluence app does not remediate this vulnerability. The disabledsystemuser account does not automatically get removed after the app has been uninstalled. It is possible for this account to be present if the Questions for Confluence app was previously installed. It is advised to check the list of active users to ensure the Confluence instance is not affected.

Credit

Confluence Security Advisory:https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html

CVE Details:

Related