Hardcoded password in Confluence app has been leaked on Twitter

What’s worse than a broadly used Web-connected enterprise app with a hardcoded password? Strive mentioned enterprise app after the hardcoded password has been leaked to the world.

Atlassian on Wednesday revealed three critical product vulnerabilities, together with CVE-2022-26138 stemming from a hardcoded password in Questions for Confluence, an app that permits customers to shortly obtain help for frequent questions involving Atlassian merchandise. The corporate warned the passcode was “trivial to acquire.”

The corporate mentioned that Questions for Confluence had 8,055 installations on the time of publication. When put in, the app creates a Confluence person account named disabledsystemuser, which is meant to assist admins transfer information between the app and the Confluence Cloud service. The hardcoded password defending this account permits for viewing and modifying of all non-restricted pages inside Confluence.

“A distant, unauthenticated attacker with information of the hardcoded password may exploit this to log into Confluence and entry any pages the confluence-users group has entry to,” the corporate mentioned. “You will need to remediate this vulnerability on affected techniques instantly.”

A day later, Atlassian was again to report that “an exterior occasion has found and publicly disclosed the hardcoded password on Twitter,” main the corporate to ratchet up its warnings.

“This problem is more likely to be exploited within the wild now that the hardcoded password is publicly identified,” the up to date advisory learn. “This vulnerability needs to be remediated on affected techniques instantly.”

The corporate warned that even when Confluence installations do not actively have the app put in, they might nonetheless be weak. Uninstalling the app does not routinely remediate the vulnerability as a result of the disabledsystemuser account can nonetheless reside on the system.

To determine if a system is weak, Atlassian suggested Confluence customers to seek for accounts with the next data:

• Consumer: disabledsystemuser
• Username: disabledsystemuser
• E mail: dontdeletethisuser@e-mail.com

Atlassian supplied extra directions for finding such accounts here. The vulnerability impacts Questions for Confluence variations 2.7.x and three.0.x. Atlassian supplied two methods for purchasers to repair the problem: disable or take away the “disabledsystemuser” account. The corporate has additionally printed this list of solutions to ceaselessly requested questions.

Confluence customers on the lookout for exploitation proof can test the final authentication time for disabledsystemuser utilizing the directions here. If the result’s null, the account exists on the system, however nobody has but signed in utilizing it. The instructions additionally present any current login makes an attempt that had been profitable or unsuccessful.

“Now that the patches are out, one can count on patch diff and reversing engineering efforts to supply a public POC in a reasonably brief time,” Casey Ellis, founding father of vulnerability reporting service Bugcrowd, wrote in a direct message. “Atlassian outlets ought to get on to patching public-facing merchandise instantly, and people behind the firewall as shortly as doable. The feedback within the advisory recommending in opposition to proxy filtering as mitigation recommend that there are a number of set off pathways.

The opposite two vulnerabilities Atlassian disclosed on Wednesday are additionally critical, affecting the next merchandise:

• Bamboo Server and Information Heart
• Bitbucket Server and Information Heart
• Confluence Server and Information Heart
• Crowd Server and Information Heart
• Crucible
• Fisheye
• Jira Server and Information Heart
• Jira Service Administration Server and Information Heart

Tracked as CVE-2022-26136 and CVE-2022-26137, these vulnerabilities make it doable for distant, unauthenticated hackers to bypass Servlet Filters utilized by first- and third-party apps.

“The impression will depend on which filters are utilized by every app, and the way the filters are used,” the corporate said. “Atlassian has launched updates that repair the foundation reason behind this vulnerability however has not exhaustively enumerated all potential penalties of this vulnerability.”

Weak Confluence servers have lengthy been a favourite opening for hackers trying to set up ransomware, cryptominers, and different types of malware. The vulnerabilities Atlassian disclosed this week are critical sufficient that admins ought to prioritize an intensive assessment of their techniques, ideally earlier than the weekend begins.