Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.3574
Questions For Confluence Security Advisory 2022-07-20
22 July 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Questions For Confluence
Publisher: Atlassian
Operating System: Windows
Linux variants
Resolution: Patch/Upgrade
CVE Names: CVE-2022-26138
Original Bulletin:
https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html
Comment: CVSS (Max): None available when published
- --------------------------BEGIN INCLUDED TEXT--------------------
Questions For Confluence Security Advisory 2022-07-20
Update: This advisory has been updated since its original publication.
21 Jul 2022 8:30 AM PDT (Pacific Time, -7 hours)
o An external party has discovered and publicly disclosed the hardcoded
password on Twitter. It is important to remediate this vulnerability on
affected systems immediately.
o The Summary of Vulnerability and Severity sections have been updated to
include this new information
Summary Confluence account with hardcoded credentials created by
Questions for Confluence
Advisory Release 20 Jul 2022 10:00 AM PDT (Pacific Time, -7 hours)
Date
Questions For Confluence app for:
o Confluence Server
Affected
Products o Confluence Data Center
The Questions for Confluence app for Confluence Cloud is not
affected.
CVE ID(s) CVE-2022-26138
Summary of Vulnerability
When the Questions for Confluence app is enabled on Confluence Server or Data
Center, it creates a Confluence user account with the username
disabledsystemuser. This account is intended to aid administrators that are
migrating data from the app to Confluence Cloud. The disabledsystemuser account
is created with a hardcoded password and is added to the confluence-users group
, which allows viewing and editing all non-restricted pages within Confluence
by default. A remote, unauthenticated attacker with knowledge of the hardcoded
password could exploit this to log into Confluence and access any pages the
confluence-users group has access to.
An external party has discovered and publicly disclosed the hardcoded password
on Twitter. Refer to the Fixes section below for guidance on how to remediate
this vulnerability.
Severity
This issue is likely to be exploited in the wild now that the hardcoded
password is publicly known. This vulnerability should be remediated on affected
systems immediately.
Atlassian rates the severity level of this vulnerability as critical. The scale
allows us to rank the severity as critical, high, moderate or low. This is our
assessment, and you should evaluate its applicability to your own IT
environment.
How To Determine If You Are Affected
A Confluence Server or Data Center instance is affected if it has an active
user account with the following information:
o User: disabledsystemuser
o Username: disabledsystemuser
o Email: dontdeletethisuser@email.com
(warning) It is possible for this account to be present if the Questions for
Confluence app has previously been installed and uninstalled.
If this account does not show up in the list of active users, the Confluence
instance is not affected.
Affected Versions
These are the versions of the app that create the disabledsystemuser account
with a hardcoded password. Confluence installations that do not actively have
any of these versions of the app installed may still be affected. Refer to the
How To Determine If You Are Affected section above and the Remediation section
below for more information.
o 2.7.34
Questions for Confluence 2.7.x o 2.7.35
Questions for Confluence 3.0.x o 3.0.2
Fixes
Uninstalling the Questions for Confluence app does not remediate this
vulnerability. The disabledsystemuser account does not automatically get
removed after the app has been uninstalled. If you have verified a Confluence
Server or Data Center instance is affected, two equally effective ways to
remediate this vulnerability are listed below.
These options either disable or remove the disabledsystemuser account.
Configuring data migration from the app to Confluence Cloud is now a manual
process.
Option 1: Update to a non-vulnerable version of Questions for Confluence
Update the Questions for Confluence app to a fixed version:
o 2.7.x >= 2.7.38 (compatible with Confluence 6.13.18 through 7.16.2)
o Versions >= 3.0.5 (compatible with Confluence 7.16.3 and later)
For more information on how to update an app, refer to:
https://confluence.atlassian.com/upm/updating-apps-273875710.html
Fixed versions of the Questions for Confluence app stop creating the
disabledsystemuser user account, and remove it from the system if it has
already been created.
Option 2: Disable or delete the disabledsystemuser account
Search for the disabledsystemuser account and either disable it or delete it.
For instructions on how to disable or delete an account (including an
explanation of the differences between the two options), refer to:
https://confluence.atlassian.com/doc/delete-or-disable-users-138318.html
How To Look For Evidence of Exploitation
To determine if anyone has successfully logged in to the disabledsystemuser
account, refer to the following document which provides instructions on how to
get a list of users' last logon times:
https://confluence.atlassian.com/confkb/
how-to-get-a-list-of-users-with-their-last-logon-times-985499701.html
If the last authentication time for disabledsystemuser is null, that means the
account exists but no one has ever logged into it.
Related Tickets
o [viewavatar]CONFSERVER-79483 - Questions For Confluence App - Hardcoded
Password Published
Support
If you did not receive an email for this advisory and you wish to receive such
emails in the future, go to https://my.atlassian.com/email and subscribe
to Alerts emails.
If you have questions or concerns regarding this advisory that aren't answered
in the FAQ, please raise a support request at https://support.atlassian.com/.
References
As per our new policy, critical security bug fixes will be back
ported in accordance with https://www.atlassian.com/trust/
Security Bug security/bug-fix-policy . We will release new maintenance
fix Policy releases for the versions covered by the policy instead of binary
patches.
Binary patches are no longer released.
Severity Atlassian security advisories include a severity level and a CVE
Levels for identifier. This severity level is based on our self-calculated
security CVSS score for each specific vulnerability. CVSS is an industry
issues standard vulnerability metric. You can learn more about CVSS at
FIRST.org.
End of Life Our end of life policy varies for different products. Please
Policy refer to our EOL Policy for details.
Last modified on Jul 21, 2022
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBYtoE1skNZI30y1K9AQg8kw/7BtXWmoEqFmsbfB2oQC5npCu26ixykzZN
m+Pu3iuJ7PtR2bI1AXDWnFymYw/weO+AjELL4HjGleoJ2ZbfIvoYFg3CI3DqZUPy
LsaQSo28h2LlsL4ru1JiNgCRMPRnzwD4Ypha02T7md6DEeuhVnG8HIjuUgykT32Z
6FfC4lVeDKPZQ6veefDXVisSd276VeMv1d81UN9OM+7EGNlbE8BgmOOS9KKFKbG8
9Nw10KcrIoOmpmEf8gdSD/137dVW/e/5NTikipx984kOMF0ZVduHXMTJKd2VT9B8
whsalrW44hm33E2J6b4wBShfO9odezs+xbMmP7ibaykirSzuZjIAYCHJxmInVbd9
dnCEnF0/md1qMT+tcNbohrCQ8xiEmbNqcGbJwVDhlK+zuj68EcJeY/7KC6A6r7/J
yZ2i43x7SyRHDoHQe3w++tAz9x1ltwE9EKh0YoRbB8ZpUaME2D4Ewhp8oAbadV49
vUffIuB9mbw4QYRrVUv/tipz+RsMaGX1WsXfM+TZ3t5rMlM1WN4XiuCNGv/cGeF3
cjRew0TX+6u0QFIZKSnRXzaAbkmS04XTUfThNhzt0NlIK/J9npsFCj2ZvytKsg8c
HWvHuYpan2kVGj/5KcPdrsARLUcgYlqyR9V517wVnM44ZryN/SZfbUx+AIGnZGHL
FL1eCnL99CM=
=Eaum
-----END PGP SIGNATURE-----