What’s worse than a widely used Internet-connected enterprise app with an encrypted password? Try the said enterprise app after leaking your encrypted password to the world.
Atlassian revealed on Wednesday Three critical weaknesses of the productIncluding CVE-2022-26138 Stems from a password encrypted in the format Questions to meet, an application that allows users to quickly receive support for frequently asked questions involving Atlassian products. The company warned that the passcode was “trivial to get”.
The company said Questions for Convergence had 8,055 installations at the time of publication. Upon installation, the app creates a Confluence user account called a disabled user, which is intended to help administrators move data between the app and the Confluence Cloud service. The encrypted password protecting this account allows viewing and editing of all unrestricted pages within Confluence.
“An unauthenticated remote attacker with knowledge of the encrypted password could exploit this to log into Confluence and access any pages that a group of confluence users can access,” the company said. “It is important to immediately address this vulnerability on affected systems.”
A day later, Atlassian returned to report that “a third party had discovered and publicly disclosed the encrypted password to Twitter,” prompting the company to escalate its warnings.
“This issue is likely to be exploited in the wild now that the encrypted password is known to the public,” states the updated how-to text. “This vulnerability on affected systems must be addressed immediately.”
The company warned that even if the app is not actively installed in Confluence installs, it could still be vulnerable. Uninstalling the application does not automatically cure the vulnerability because the disabled system user account still exists on the system.
To find out if the system is vulnerable, Atlassian advised Confluence users to look for accounts with the following information:
- user: broken system
- user name: broken system
- E-mail: [email protected]
Atlassian has provided further instructions for locating these accounts over here. The vulnerability affects the release of Confluence Questions 2.7.x and 3.0.x. Atlassian offered two ways for customers to fix the problem: disabling or removing the “Disabled User” account. The company also published This list of answers to frequently asked questions.
Users who are looking for evidence of the exploit can check the last authentication time of the broken system user using the instructions over here. If the result is empty, it means that the account is on the system, but no one has logged in with it. The commands also display any recent login attempts that were successful or unsuccessful.
“Now that the patches are out, one can expect patch teams and reverse engineering efforts to produce a public POC in a fairly short time,” Casey Ellis, founder of vulnerability reporting service Bugcrowd, wrote in a direct message. “Atlassian stores should start debugging audience-facing products immediately, and those behind the firewall as quickly as possible. Comments in the advisory text recommending no proxy filtering as a mitigation suggest that there are multiple operating paths.”
The other two vulnerabilities disclosed by Atlassian on Wednesday are also serious, affecting the following products:
- Bamboo server and data center
- Bitbucket server and data center
- Confluence server and data center
- Crowd server and data center
- The fish’s eye
- Jira server and data center
- Jira Service Management Server and Data Center
These vulnerabilities are tracked as CVE-2022-26136 and CVE-2022-26137, making it possible for remote and unauthenticated hackers to bypass Servlet filters used by first and third party applications.
“The effect depends on which filters each app uses, and how the filters are used,” the company He said. “Atlassian has released updates that fix the root cause of this vulnerability but have not comprehensively listed all of the potential consequences of this vulnerability.”
Vulnerable confluence servers have always been the preferred conquest for hackers looking to install ransomwareAnd the cryptominersand other types of malware. The vulnerabilities revealed by Atlassian this week are serious enough that administrators should prioritize a thorough review of their systems, ideally before the start of the weekend.
“Infuriatingly humble music trailblazer. Gamer. Food enthusiast. Beeraholic. Zombie guru.”