"Questions for Confluence" App Vulnerability Advisory | July 2022

The default user account password for the Confluence support app "Questions for Confluence" was leaked. Here's what you need to know.

Background

On July 20, 2022, Atlassian issued a security advisory for a critical vulnerability, CVE-2022-26138, identified in the “Questions for Confluence” Support app within Atlassian's Confluence Server and Confluence Data Center servers. Confluence is software that allows collaboration using a document and knowledge repository. This allows any remote unauthenticated user to gain access to Confluence instances including viewing and editing permissions to all non-restricted documents. Organizations that use Confluence with this app are at risk of their data potentially being accessed and taken. This can lead to extortion attempts against an organization. Corvus believes there to be a high likelihood of exploitation in the wild and is encouraging you to update immediately if you are using the “Questions for Confluence” app.  

Quick facts: what you need to know

  • An external party recently publicly disclosed a hardcoded password for the default user account in the app.
  • The “Questions for Confluence” app creates a default user account username, “disabledsystemuser”, with a hardcoded password. This account is intended to aid administrators in migrating data from the on-premise app to Confluence Cloud.
  • A remote, unauthenticated attacker with knowledge of the hardcoded password could log into Confluence and view or edit all non-restricted pages the confluence-users group can access.

Next Steps for All "Questions for Confluence" App users: 

  1. Immediately update the vulnerable application to a fixed version using Atlassian's guidance for updating apps
    1. 2.7.x >= 2.7.38 (compatible with Confluence 6.13.18 through 7.16.2)
    2. Versions >= 3.0.5 (compatible with Confluence 7.16.3 and later)
  2. If Confluence is configured to use a read-only external directory (e.g. Atlassian Crowd), take the following mitigation steps:
    1. Search for the “disabledsystemuser” account and either disable it or delete it. Read more on how to disable or delete an account here.

If you have any questions, please reach out to the Risk + Response Team at services@corvusinsurance.com!