Advisory for Confluence Security Update

  • NIC-CERT/2022-08/335
  • Date: 2022-08-01
  • CVE ID: 2022-26138
  • Severity: Critical

A. Description:

Atlassian has released security advisory for vulnerability Confluence account with hardcoded credentials created by Questions for Confluence. When the Questions for Confluence app is enabled on Confluence Server or Data Centre, it creates a Confluence user account with the username disabledsystemuser. This account is intended to aid administrators that are migrating data from the app to Confluence Cloud. The disabledsystemuser account is created with a hardcoded password and is added to the confluence-users group, which allows viewing and editing all non-restricted pages within Confluence by default. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the confluence-users group has access to.

B. Security Issues:

Atlassian Questions For Confluence App has hard-coded credentials, exposing the username and password in plaintext. A remote unauthenticated attacker can use these credentials to log into Confluence and access all content accessible to users in the confluence-users group.

C. Affected Products & Solution:

CVE

Affected Product

Fixes

CVE-2022-26138

Questions for Confluence 2.7.x

  • 2.7.34
  • 2.7.35

Questions for Confluence 3.0.x

  • 3.0.2

Uninstalling the Questions for Confluence app does not remediate this vulnerability.

These options either disable or remove the disabledsystemuser account. Configuring data migration from the app to Confluence Cloud is now a manual process.

Option 1: Update to a non-vulnerable version of Questions for Confluence

Update the Questions for Confluence app to a fixed version:

2.7.x >= 2.7.38 (compatible with Confluence 6.13.18 through 7.16.2)

Versions >= 3.0.5 (compatible with Confluence 7.16.3 and later)

Option 2: Disable or delete the disabledsystemuser account

Search for the disabledsystemuser account and either disable it or delete it. For instructions on how to disable or delete an account (including an explanation of the differences between the two options), refer to:

https://confluence.atlassian.com/doc/delete-or-disable-users-138318.html

D. References:

https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html