Atlassian has fixed three critical vulnerabilities and is urging customers using Confluence, Bamboo, Bitbucket, Crowd, Fisheye and Crucible, Jira and Jira Service Management to update their instances as soon as possible.
There is no mention of these vulnerabilities being exploited in the wild, but flaws in Atlassian Confluence are often leveraged by attackers.
About CVE-2022-26138
CVE-2022-26138 affects the Questions for Confluence app, which is deployed and used by some Confluence Server and Data Center customers.
When versions 2.7.34, 2.7.35, and 3.0.2 of the app are enabled on those products, a Confluence user account with the username disabledsystemuser is created with an associated hardcoded password, and added to the confluence-users group, which allows viewing and editing all non-restricted pages within Confluence by default.
“A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the confluence-users group has access to,” the company explained, and added that the password is trivial to obtain after downloading and reviewing affected versions of the app.
Because of this, and because uninstalling the app does not automatically remove the disabledsystemuser account, AND because it’s possible the account has been previously created by a version of the app that has been installed and uninstalled, Atlassian urges customers to check whether that active user account is present and to disable or delete it before or after updating to a non-vulnerable version of the app.
There’s also a way for defenders to check if anyone has ever successfully logged in to that account (and possibly exploited its existence).
About CVE-2022-26136 and CVE-2022-26137
CVE-2022-26136 and CVE-2022-26137 affect the Servlet Filter Dispatcher.
The former may allow a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps and to bypass authentication and to execute arbitrary Javascript in the user’s browser. The latter may allow an attacker to access the vulnerable application with the victim’s permissions. In both cases, user interaction is required (they have to be tricked into requesting a malicious URL).
“The impact [of CVE-2022-26136] depends on which filters are used by each app, and how the filters are used. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability,” the company said.
There are no workarounds or mitigation actions users can make – upgrading the affected installations of the following products is strongly advised (even if the instances are not connected to the internet):
- Confluence Server and Data Center
- Bamboo Server and Data Center
- Bitbucket Server and Data Center
- Crowd Server and Data Center
- Crucible
- Fisheye
- Jira Software Server and Data Center
- Jira Service Management Server and Data Center.
“These vulnerabilities affect the code included with each affected product. Systems are still affected even if they do not have any third-party apps installed,” Atlassian added.
“Unfortunately, Atlassian cannot confirm if an instance has been compromised. Please involve the local security team or a specialist security forensics firm for further investigation. Atlassian recommends checking the integrity of the application filesystem, for example, comparison of artifacts in their current state with recent backups to see if there are any unexpected differences. All security compromises are different, and there is a risk that an attacker could hide their footprint and change important files such as (syslogs, audit logs, access logs, etc.) depending on the component that has been compromised.”
Source: https://www.helpnetsecurity.com/2022/07/21/atlassian-confluence-jira-bitbucket-critical/