A newly disclosed vulnerability affecting users of Atlassian’s Confluence collaboration platform could give a malicious actor remote access to all non-restricted pages in an organisation’s Confluence instance, and should be fixed immediately.
Tracked as CVE-2022-26138, the vulnerability was disclosed on Wednesday 20 July 2022. It exists in the Questions for Confluence app which, when enabled on Confluence Server or Data Center, creates a Confluence user account with a hardcoded password that is used to help admins migrate data from the app to Confluence Cloud. This account is allowed to view and edit all non-restricted pages in Confluence by default.
If a malicious actor was to gain knowledge of this hardcoded password, they could exploit it remotely to log into Confluence and access any pages that the account can. The hardcoded password has since been discovered and publicly disclosed on Twitter, making CVE-2022-26138 a critical issue that will be exploited in short order.
According to Atlassian, an instance of Confluence Server or Data Center is affected if it has an active user account with any of the following information:
Affected users have two options – first, to update to a non-vulnerable version of Questions for Confluence, or to disable or delete the privileged account. Further details on both of these actions can be found here.
Bugcrowd founder Casey Ellis commented: “This is a trivial bug to exploit, and therefore an urgent patch or mitigation. The vulnerability does require the Questions for Confluence app to have been installed, which will limit the spread of impact here, but in general, anyone who runs Confluence should assume that there’s a potential problem, read the advisory – which I think Atlassian have done a great job on in helping their users simplify the task of determining exposure – and act accordingly.”
June vulnerability
Unfortunately, CVE-2022-26138 is the second major vulnerability uncovered in Confluence in recent months, following the disclosure of CVE-2022-26134 in June.
This is a remote code execution vulnerability in Confluence Server and Data Center, which when exploited enables an unauthenticated attacker to execute arbitrary code on an affected instance.
In a demonstration of how the widespread popularity of Confluence makes exploiting vulnerabilities in the service particularly attractive to bad actors, Akamai reported it saw about 100,000 exploitation attempts daily in the first days after release, falling back to 20,000 per day at the end of June, from approximately 6,000 malicious IPs – of which 50% had already been identified as such by Akamai.
Akamai said it observed multiple different cyber attacks unfolding through the vulnerability, including the delivery of malicious webshells, malware and illicit cryptominers.
Further to this disclosure, Rapid7’s threat intelligence team found a user on the Russian-language XSS forum selling root access to 50 enterprise networks that they had gained through CVE-2022-26134. According to The Record, the same broker also claimed to have access to as many as 10,000 vulnerable Atlassian customers.