This vulnerability affects on-premise installations of Confluence, where the “Questions for Confluence” add-on is installed or has been installed at any point. Admins should update their instances immediately and ensure they have not been compromised.
The dust had not quite settled on the critical Confluence RCE vulnerability from June, when last Wednesday (July 20th, 2022), Atlassian notified users of another critical vulnerability now assigned to CVE-2022-26138. It affects Confluence installations with the “Questions for Confluence” add-on and is caused by hard-coded credentials, giving any remote user nearly full access to the Confluence instance. The situation got more urgent when the credentials appeared on Twitter only one day later, making it trivial to exploit vulnerable instances. Confluence is Atlassian’s enterprise wiki and knowledge base software. The Questions for Confluence add-on provides a Stackoverflow-like Q&A portal: Employees can ask and answer questions, with authors of highly upvoted answers gaining points on their profile. Questions for Confluence is a paid add-on developed by Atlassian and not installed by default.
- What is CVE-2022-26138?
- How to patch the CVE-2022-26138 Confluence vulnerability?
- Attack Surface Intelligence finds Confluence instances and checks for CVE-2022-26138
What is CVE-2022-26138?
During the installation process of the Questions for Confluence add-on, an account called
disabledsystemuser belonging to the
confluence-users group is created. By default, members of this group are allowed to view and edit all non-restricted pages within the Confluence installation. When uninstalling the add-on, this account does not get deleted and persists on the system. According to some sources, the account was intended to be used by Atlassian admins when assisting customers with migrations to Confluence Cloud. No matter the intent, the hard-coded credentials of this account are the same on every installation and represent a critical vulnerability. Upon first disclosing the incident, Atlassian was worried the password might be easy to obtain and urged admins to update as soon as possible.
Only one day later, the credentials were discovered in a .jar-file and leaked on Twitter. At least since this point, the credentials have to be considered public knowledge, and affected instances accessible from the internet are trivial to exploit. The email address
[email protected] assigned to this account seems to have been chosen as a simple placeholder. However, its domain is valid and belongs to a free email provider where this address was not registered prior to disclosure of the vulnerability. This led to a further information disclosure when a party involved with the leak registered the account and immediately received automatic notification messages from affected instances.
How to patch the CVE-2022-26138 Confluence vulnerability?
It is affected if a system has versions 2.7.34, 2.7.35, or 3.0.2 of Questions for Confluence installed. The vulnerability can be mitigated by installing the updates provided by Atlassian. It might still be affected if a system has other versions or no add-on installed at all. This can be verified by checking if an account with the following credentials exists on the installation:
User: disabledsystemuser Username: disabledsystemuser Email: [email protected]
If this is the case, it is affected and the vulnerability can be mitigated by manually deleting the account. Both options are described in detail in Atlassian’s security advisory. In any case, simply uninstalling the Questions for Confluence add-on does not remediate the vulnerability. To check if a system was already exploited, you can use the latest logon time of
disabledsystemuser as an indicator of compromise. Atlassian provided information on how to do this here.
Attack Surface Intelligence finds Confluence instances and checks for CVE-2022-26138
Gain complete visibility of your attack surface today by leveraging Attack Surface Intelligence (ASI), including any Confluence instances vulnerable to CVE-2022-26138 (as described in this article), and its ability to automate scanning using hardcoded credentials applicable to such exploit. Get started now: