The other two vulnerabilities Atlassian disclosed on Wednesday are also serious, affecting the following products: The comments in the advisory recommending against proxy filtering as mitigation suggest that there are multiple trigger pathways. "Atlassian shops should get on to patching public-facing products immediately, and those behind the firewall as quickly as possible. "Now that the patches are out, one can expect patch diff and reversing engineering efforts to produce a public POC in a fairly short time," Casey Ellis, founder of vulnerability reporting service Bugcrowd, wrote in a direct message. The commands also show any recent login attempts that were successful or unsuccessful. If the result is null, the account exists on the system, but no one has yet signed in using it. The company has also published this list of answers to frequently asked questions.Ĭonfluence users looking for exploitation evidence can check the last authentication time for disabledsystemuser using the instructions here. Atlassian provided two ways for customers to fix the issue: disable or remove the "disabledsystemuser" account. The vulnerability affects Questions for Confluence versions 2.7.x and 3.0.x. Email: provided more instructions for locating such accounts here.To figure out if a system is vulnerable, Atlassian advised Confluence users to search for accounts with the following information: Uninstalling the app doesn't automatically remediate the vulnerability because the disabledsystemuser account can still reside on the system. The company warned that even when Confluence installations don't actively have the app installed, they may still be vulnerable. "This vulnerability should be remediated on affected systems immediately." ![]() ![]() "This issue is likely to be exploited in the wild now that the hardcoded password is publicly known," the updated advisory read. ![]() "It is important to remediate this vulnerability on affected systems immediately."Ī day later, Atlassian was back to report that "an external party has discovered and publicly disclosed the hardcoded password on Twitter," leading the company to ratchet up its warnings. ![]() "A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the confluence-users group has access to," the company said. The hardcoded password protecting this account allows for viewing and editing of all non-restricted pages within Confluence. When installed, the app creates a Confluence user account named disabledsystemuser, which is intended to help admins move data between the app and the Confluence Cloud service. The company said that Questions for Confluence had 8,055 installations at the time of publication. The company warned the passcode was "trivial to obtain." What's worse than a widely used Internet-connected enterprise app with a hardcoded password? Try said enterprise app after the hardcoded password has been leaked to the world.Ītlassian on Wednesday revealed three critical product vulnerabilities, including CVE-2022-26138 stemming from a hardcoded password in Questions for Confluence, an app that allows users to quickly receive support for common questions involving Atlassian products.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |