Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.3574 Questions For Confluence Security Advisory 2022-07-20 22 July 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Questions For Confluence Publisher: Atlassian Operating System: Windows Linux variants Resolution: Patch/Upgrade CVE Names: CVE-2022-26138 Original Bulletin: https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html Comment: CVSS (Max): None available when published - --------------------------BEGIN INCLUDED TEXT-------------------- Questions For Confluence Security Advisory 2022-07-20 Update: This advisory has been updated since its original publication. 21 Jul 2022 8:30 AM PDT (Pacific Time, -7 hours) o An external party has discovered and publicly disclosed the hardcoded password on Twitter. It is important to remediate this vulnerability on affected systems immediately. o The Summary of Vulnerability and Severity sections have been updated to include this new information Summary Confluence account with hardcoded credentials created by Questions for Confluence Advisory Release 20 Jul 2022 10:00 AM PDT (Pacific Time, -7 hours) Date Questions For Confluence app for: o Confluence Server Affected Products o Confluence Data Center The Questions for Confluence app for Confluence Cloud is not affected. CVE ID(s) CVE-2022-26138 Summary of Vulnerability When the Questions for Confluence app is enabled on Confluence Server or Data Center, it creates a Confluence user account with the username disabledsystemuser. This account is intended to aid administrators that are migrating data from the app to Confluence Cloud. The disabledsystemuser account is created with a hardcoded password and is added to the confluence-users group , which allows viewing and editing all non-restricted pages within Confluence by default. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the confluence-users group has access to. An external party has discovered and publicly disclosed the hardcoded password on Twitter. Refer to the Fixes section below for guidance on how to remediate this vulnerability. Severity This issue is likely to be exploited in the wild now that the hardcoded password is publicly known. This vulnerability should be remediated on affected systems immediately. Atlassian rates the severity level of this vulnerability as critical. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment, and you should evaluate its applicability to your own IT environment. How To Determine If You Are Affected A Confluence Server or Data Center instance is affected if it has an active user account with the following information: o User: disabledsystemuser o Username: disabledsystemuser o Email: dontdeletethisuser@email.com (warning) It is possible for this account to be present if the Questions for Confluence app has previously been installed and uninstalled. If this account does not show up in the list of active users, the Confluence instance is not affected. Affected Versions These are the versions of the app that create the disabledsystemuser account with a hardcoded password. Confluence installations that do not actively have any of these versions of the app installed may still be affected. Refer to the How To Determine If You Are Affected section above and the Remediation section below for more information. o 2.7.34 Questions for Confluence 2.7.x o 2.7.35 Questions for Confluence 3.0.x o 3.0.2 Fixes Uninstalling the Questions for Confluence app does not remediate this vulnerability. The disabledsystemuser account does not automatically get removed after the app has been uninstalled. If you have verified a Confluence Server or Data Center instance is affected, two equally effective ways to remediate this vulnerability are listed below. These options either disable or remove the disabledsystemuser account. Configuring data migration from the app to Confluence Cloud is now a manual process. Option 1: Update to a non-vulnerable version of Questions for Confluence Update the Questions for Confluence app to a fixed version: o 2.7.x >= 2.7.38 (compatible with Confluence 6.13.18 through 7.16.2) o Versions >= 3.0.5 (compatible with Confluence 7.16.3 and later) For more information on how to update an app, refer to: https://confluence.atlassian.com/upm/updating-apps-273875710.html Fixed versions of the Questions for Confluence app stop creating the disabledsystemuser user account, and remove it from the system if it has already been created. Option 2: Disable or delete the disabledsystemuser account Search for the disabledsystemuser account and either disable it or delete it. For instructions on how to disable or delete an account (including an explanation of the differences between the two options), refer to: https://confluence.atlassian.com/doc/delete-or-disable-users-138318.html How To Look For Evidence of Exploitation To determine if anyone has successfully logged in to the disabledsystemuser account, refer to the following document which provides instructions on how to get a list of users' last logon times: https://confluence.atlassian.com/confkb/ how-to-get-a-list-of-users-with-their-last-logon-times-985499701.html If the last authentication time for disabledsystemuser is null, that means the account exists but no one has ever logged into it. Related Tickets o [viewavatar]CONFSERVER-79483 - Questions For Confluence App - Hardcoded Password Published Support If you did not receive an email for this advisory and you wish to receive such emails in the future, go to https://my.atlassian.com/email and subscribe to Alerts emails. If you have questions or concerns regarding this advisory that aren't answered in the FAQ, please raise a support request at https://support.atlassian.com/. References As per our new policy, critical security bug fixes will be back ported in accordance with https://www.atlassian.com/trust/ Security Bug security/bug-fix-policy . We will release new maintenance fix Policy releases for the versions covered by the policy instead of binary patches. Binary patches are no longer released. Severity Atlassian security advisories include a severity level and a CVE Levels for identifier. This severity level is based on our self-calculated security CVSS score for each specific vulnerability. CVSS is an industry issues standard vulnerability metric. You can learn more about CVSS at FIRST.org. End of Life Our end of life policy varies for different products. Please Policy refer to our EOL Policy for details. Last modified on Jul 21, 2022 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYtoE1skNZI30y1K9AQg8kw/7BtXWmoEqFmsbfB2oQC5npCu26ixykzZN m+Pu3iuJ7PtR2bI1AXDWnFymYw/weO+AjELL4HjGleoJ2ZbfIvoYFg3CI3DqZUPy LsaQSo28h2LlsL4ru1JiNgCRMPRnzwD4Ypha02T7md6DEeuhVnG8HIjuUgykT32Z 6FfC4lVeDKPZQ6veefDXVisSd276VeMv1d81UN9OM+7EGNlbE8BgmOOS9KKFKbG8 9Nw10KcrIoOmpmEf8gdSD/137dVW/e/5NTikipx984kOMF0ZVduHXMTJKd2VT9B8 whsalrW44hm33E2J6b4wBShfO9odezs+xbMmP7ibaykirSzuZjIAYCHJxmInVbd9 dnCEnF0/md1qMT+tcNbohrCQ8xiEmbNqcGbJwVDhlK+zuj68EcJeY/7KC6A6r7/J yZ2i43x7SyRHDoHQe3w++tAz9x1ltwE9EKh0YoRbB8ZpUaME2D4Ewhp8oAbadV49 vUffIuB9mbw4QYRrVUv/tipz+RsMaGX1WsXfM+TZ3t5rMlM1WN4XiuCNGv/cGeF3 cjRew0TX+6u0QFIZKSnRXzaAbkmS04XTUfThNhzt0NlIK/J9npsFCj2ZvytKsg8c HWvHuYpan2kVGj/5KcPdrsARLUcgYlqyR9V517wVnM44ZryN/SZfbUx+AIGnZGHL FL1eCnL99CM= =Eaum -----END PGP SIGNATURE-----