Unsurprisingly, CISA has added the recent critical vulnerability in Atlassian’s Confluence Server and Data Center, CVE-2022-26138, to their Known Exploited Vulnerabilities Catalog.
CVE-2022-26138 is a hard-coded credentials flaw (CWE-798) that allows unauthenticated attackers to remotely exploit the vulnerability and log into to unpatched servers.
When the Questions for Confluence app (versions 2.7.34, 2.7.35, and 3.0.2) is installed, an account with the username of ‘disabledsystemuser’ is created along with its associated hard-coded password. This password was leaked on Twitter on the 23rd of July. If CVE-2022-26138 is exploited, an attacker would gain access to any pages that the confluence-users group has access to. Uninstalling the app does not remove the account.
If affected, a Confluence Server or Data Center instance will have an active user account with this information:
• User: disabledsystemuser
• Username: disabledsystemuser
• Email: dontdeletethisuser@email.com
Per an advisory released by Atlassian, there are two options for mitigating CVE-2022-26138. Option one is to update the Questions for Confluence app to a non-vulnerable version:
• 2.7.x >= 2.7.38 (compatible with Confluence 6.13.18 through 7.16.2)
• Versions >= 3.0.5 (compatible with Confluence 7.16.3 and later)
These “fixed” versions do not create the ‘disabledsystemuser’ account, and will remove it from the system if present.
Option two is to disable or delete the ‘disabledsystemuser’ account. Unfortunately, if Confluence is configured to use a read-only external directory, you are required to remove the account from all external directories and perform a directory resync before the account can be deleted.
CISA has given US federal agencies three weeks to secure their servers.
Image: Maxwell Nelson
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About VRX
VRX is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.
