Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

           Questions For Confluence Security Advisory 2022-07-20
                               22 July 2022


        AusCERT Security Bulletin Summary

Product:           Questions For Confluence
Publisher:         Atlassian
Operating System:  Windows
                   Linux variants
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-26138  

Original Bulletin: 

Comment: CVSS (Max):  None available when published

- --------------------------BEGIN INCLUDED TEXT--------------------

Questions For Confluence Security Advisory 2022-07-20

Update: This advisory has been updated since its original publication.

21 Jul 2022 8:30 AM PDT (Pacific Time, -7 hours)

  o An external party has discovered and publicly disclosed the hardcoded
    password on Twitter. It is important to remediate this vulnerability on
    affected systems immediately.
  o The Summary of Vulnerability and Severity sections have been updated to
    include this new information

Summary              Confluence account with hardcoded credentials created by
                     Questions for Confluence

Advisory Release     20 Jul 2022 10:00 AM PDT (Pacific Time, -7 hours)

                     Questions For Confluence app for:

                       o Confluence Server
Products               o Confluence Data Center

                     The Questions for Confluence app for Confluence Cloud is not

CVE ID(s)            CVE-2022-26138

Summary of Vulnerability

When the Questions for Confluence app is enabled on Confluence Server or Data
Center, it creates a Confluence user account with the username
disabledsystemuser. This account is intended to aid administrators that are
migrating data from the app to Confluence Cloud. The disabledsystemuser account
is created with a hardcoded password and is added to the confluence-users group
, which allows viewing and editing all non-restricted pages within Confluence 
by default. A remote, unauthenticated attacker with knowledge of the hardcoded
password could exploit this to log into Confluence and access any pages the
confluence-users group has access to.

An external party has discovered and publicly disclosed the hardcoded password
on Twitter. Refer to the Fixes section below for guidance on how to remediate
this vulnerability.


This issue is likely to be exploited in the wild now that the hardcoded
password is publicly known. This vulnerability should be remediated on affected
systems immediately. 

Atlassian rates the severity level of this vulnerability as critical. The scale
allows us to rank the severity as critical, high, moderate or low. This is our
assessment, and you should evaluate its applicability to your own IT

How To Determine If You Are Affected

A Confluence Server or Data Center instance is affected if it has an active
user account with the following information:

  o User: disabledsystemuser

  o Username: disabledsystemuser

  o Email: dontdeletethisuser@email.com

(warning) It is possible for this account to be present if the Questions for
Confluence app has previously been installed and uninstalled.

If this account does not show up in the list of active users, the Confluence
instance is not affected.

Affected Versions

These are the versions of the app that create the disabledsystemuser account
with a hardcoded password. Confluence installations that do not actively have
any of these versions of the app installed may still be affected. Refer to the
How To Determine If You Are Affected section above and the Remediation section
below for more information.

                                 o 2.7.34
Questions for Confluence 2.7.x   o 2.7.35

Questions for Confluence 3.0.x   o 3.0.2


Uninstalling the Questions for Confluence app does not remediate this
vulnerability. The disabledsystemuser account does not automatically get
removed after the app has been uninstalled. If you have verified a Confluence
Server or Data Center instance is affected, two equally effective ways to
remediate this vulnerability are listed below.

These options either disable or remove the disabledsystemuser account.
Configuring data migration from the app to Confluence Cloud is now a manual

Option 1: Update to a non-vulnerable version of Questions for Confluence

Update the Questions for Confluence app to a fixed version:

  o 2.7.x >= 2.7.38 (compatible with Confluence 6.13.18 through 7.16.2)

  o Versions >= 3.0.5 (compatible with Confluence 7.16.3 and later)

For more information on how to update an app, refer to:


Fixed versions of the Questions for Confluence app stop creating the
disabledsystemuser user account, and remove it from the system if it has
already been created.

Option 2: Disable or delete the disabledsystemuser account

Search for the disabledsystemuser account and either disable it or delete it.
For instructions on how to disable or delete an account (including an
explanation of the differences between the two options), refer to:


How To Look For Evidence of Exploitation

To determine if anyone has successfully logged in to the disabledsystemuser
account, refer to the following document which provides instructions on how to
get a list of users' last logon times:


If the last authentication time for disabledsystemuser is null, that means the
account exists but no one has ever logged into it.

Related Tickets

  o [viewavatar]CONFSERVER-79483 - Questions For Confluence App - Hardcoded
    Password Published


If you did not receive an email for this advisory and you wish to receive such
emails in the future, go to https://my.atlassian.com/email and subscribe
to Alerts emails.

If you have questions or concerns regarding this advisory that aren't answered
in the FAQ, please raise a support request at https://support.atlassian.com/.


              As per our new policy, critical security bug fixes will be back
              ported in accordance with https://www.atlassian.com/trust/
Security Bug  security/bug-fix-policy . We will release new maintenance
fix Policy    releases for the versions covered by the policy instead of binary

              Binary patches are no longer released. 

Severity      Atlassian security advisories include a severity level and a CVE
Levels for    identifier. This severity level is based on our self-calculated
security      CVSS score for each specific vulnerability. CVSS is an industry
issues        standard vulnerability metric. You can learn more about CVSS at 

End of Life   Our end of life policy varies for different products. Please
Policy        refer to our EOL Policy for details. 

Last modified on Jul 21, 2022

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: https://auscert.org.au/gpg-key/