Atlassian Fixes Critical Hard-Coded Credential Bug

Unauthenticated Attacker Could Access Unpatched Servers
Atlassian Fixes Critical Hard-Coded Credential Bug

Atlassian released a patch for a hard-coded credential in its workspace collaboration tool Confluence. The Australian company has found no evidence of exploitation of the flaw, which may allow remote, unauthenticated attackers access to a user company's servers.

See Also: Finding and Managing the Risk in your IT Estate: A Comprehensive Overview

The vulnerability in software made by the software development and corporate collaboration tool purveyor is the latest in a string of embarrassments for the company, including the chief technology officer in April apologizing for a dayslong cloud outage.

Atlassian found the vulnerability in Questions for Confluence, a platform for requesting help and sharing knowledge with more than 8,000 active instances.

Once enabled on Atlassian's Confluence server or data center products, the application generated hard-coded credentials, typically with the username disabledsystemuser. The credential was designed to aid the migration of app data to the Confluence cloud. It also allowed anyone with knowledge of it to view and edit nonrestricted pages of the Confluence app, Atlassian says in a security advisory.

The flaw, tracked as CVE-2022-26138, can allow a remote, unauthenticated attacker who knows the hard-coded password to log onto Confluence and access any pages the confluence-users group has access to, Atlassian says.

Atlassian says it's not entirely sure which versions of the Confluence app are affected and says the best way to determine if an instance is affected is to check for an active disabledsystemuser user.

If such an account does show up, companies can check to see if it has been abused by viewing the last logon instance from the list of users. "If the last authentication time for disabledsystemuser is null, that means the account exists but no one has ever logged into it," Atlassian says.

This latest vulnerability comes just weeks after the company said hackers exploited a zero-day vulnerability affecting all supported versions of Confluence Server and Data Center (see: Unpatched Atlassian Confluence 0-Day Exploited in the Wild).

The bug gave attackers unauthenticated remote code execution privileges. The company issued a patch within a day (see: Atlassian Issues Patch for Critical Confluence Zero-Day).

Security researcher Kevin Beaumont tweeted that users of Confluence should ramp up security by putting it behind a VPN or a reverse proxy. "It's simply too historically vulnerable to leave online. You're a sitting duck," said Beaumont, a former Microsoft threat analyst.

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.