[ad_1]
Atlassian on Thursday urged organizations utilizing its Questions for Confluence app to instantly replace to the most recent model of the software program or to use a mitigation measure to guard in opposition to a important vulnerability within the product — one among three important bugs disclosed by the seller this week.
The “patch now” recommendation was prompted by the general public disclosure of a hardcoded password related to the Questions app that offers a distant, unauthenticated attacker a approach to log into Confluence and entry all content material within the broader confluence-users group.
Many organizations use Confluence for mission administration and collaboration amongst groups scattered throughout on-premises and distant places. Typically Confluence environments can home delicate knowledge on initiatives that a company is likely to be engaged on, or on its clients and companions.
The Questions app in the meantime permits for a Q&A/crowdsourcing perform inside a given workspace.
The issue primarily impacts organizations utilizing Questions for Confluence Server and Information Middle variations 2.7.34, 2.7.35, and three.0.2 of the app. Nevertheless, even organizations utilizing different variations of Confluence may doubtlessly be affected, Atlassian stated. The vulnerability doesn’t have an effect on the Questions for Confluence app for Confluence Cloud.
Bracing for Exploits
“The problem is more likely to be exploited within the wild now that the hardcoded password is publicly identified,” Atlassian warned. “This vulnerability (CVE-2022-26138) ought to be remediated on affected programs instantly,” the seller stated.
Atlassian disclosed the bug on Wednesday. The corporate described the problem as ensuing from a Confluence person account that’s created when the Questions for Confluence app is enabled both on Confluence Information Middle or Confluence Server. The person account — with the username “disabledsystemuser” — is designed to assist directors migrating knowledge from these apps to Confluence Cloud.
However the account is created with a hardcoded password that’s added to the confluence-users group. This enables attackers to view and edit all non-restricted pages throughout the Confluence user-group by default, in response to Atlassian. So, any attacker with information of the password can log in remotely to the Confluence collaboration surroundings and entry no matter content material different customers within the group can entry, the software program vendor stated.
Quickly after Atlassian’s advisory Wednesday, a safety researcher printed the hardcoded password on Twitter, prompting Atlassian’s pressing replace Thursday.
The corporate’s advisory offered particulars on how organizations can decide if they’re affected by the vulnerability or may need already been compromised by way of an exploit focusing on the flaw. Atlassian urged organizations to replace to variations 2.7.38 or 3.0.5 of the software program or to disable or delete the disabledsystemuser account.
Importantly, merely uninstalling the Questions for Confluence utility wouldn’t remediate in opposition to the vulnerability as a result of the disabledsystemuser account would nonetheless stay in place after the app is eliminated, Atlassian warned.
Two Different Important Vulnerabilities
The opposite two important vulnerabilities that have been disclosed (CVE-2022-26136
and CVE-2022-26137) exist in a number of variations of virtually all Atlassian merchandise. These embody Bamboo Server and Information Middle, Bitbucket Server and Information Middle, Confluence Server and Information Middle, Crowd Server and Information Middle, Jira Server and Information Middle, and Jira Service Administration Server and Information Middle.
CVE-2022-26136 is an authentication-bypass vulnerability in Java code known as Servlet Filter for intercepting and processing HTTP requests from and to a consumer and a backend system. The vulnerability provides attackers a manner to make use of a specifically crafted HTTP request to bypass Servlet Filters that third-party apps may use to implement authentication.
The identical vulnerability additionally permits attackers to make use of specifically crafted HTTP requests to trick customers into executing arbitrary JavaScript within the person’s browser.
Atlassian stated it had been in a position to affirm such assaults are doable however has nonetheless not been in a position to decide all third-party apps that is likely to be affected by the problem.
The flaw tracked as CVE-2022-26137 additionally exists in Servlet Filter and provides distant, unauthenticated attackers a approach to entry weak functions by utilizing a specifically crafted HTTP request to trick customers into requesting a malicious URL. Atlassian has launched up to date variations of its software program for all affected merchandise to deal with these vulnerabilities.
Atlassian’s Ongoing Cybersecurity Woes
The most recent flaws mark the second time prior to now two months that organizations utilizing Atlassian’s expertise have been compelled to scramble to repair severe flaws in its merchandise.
In early June, the corporate disclosed a important distant code-execution vulnerability (RCE) impacting all supported variations of Confluence Server and Information Middle. The bug (CVE-2022-26134) gave unauthenticated attackers a approach to drop a Internet shell on affected programs. It generated appreciable concern as a result of risk actors had already begun exploiting it by the point the corporate issued a repair for it.
Attackers shortly started actively exploiting the flaw to distribute a wide range of malware, together with Mirai bot variants, cryptominers, ransomware and the Cobalt Strike post-exploit assault equipment. Most of the assaults have been automated in nature.
An evaluation by Barracuda confirmed that 45% of makes an attempt to use the vulnerability have been from Russia-based IP addresses; 25% % of the exploit assaults have been from the US; and 11% originated from IP addresses in India.
[ad_2]