Atlassian released patches for three critical vulnerabilities. Out of the three flaws, two impacts Confluence Server, Confluence Data Center, and some other products as well as Bamboo, BitBucket, Fisheye, and Jira, and one of the flaw impacts only Confluence Server and Data Center. Atlassian is aware that the vulnerabilities are under exploitation.
The vulnerabilities are tracked as CVE-2022-26136 (Arbitrary Servlet Filter Bypass), CVE-2022-26137 (Additional Servlet Filter Invocation), and CVE-2022-26138 (Default login). POC is available for CVE-2022-26138 “Questions For Confluence – Default Login”. At the time of writing, there is no POC available for CVE-2022-26136 or CVE-2022-26137.
CVE-2022-26138 – An unauthenticated remote attacker can exploit this vulnerability, by using hard-coded credentials. As a result, the attacker gets a login to the confluence and can access any page the confluence user group has access to.
The vulnerability cannot be fixed by uninstalling the Questions for Confluence application either. Users can delete or disable the “disabledsystemuser” user or apply the patch by the vendor.
Steps to Exploit CVE-2022-26138
- Send POST Request to “/dologin.action” endpoint.
- Add post data as “os_username=disabledsystemuser&os_password=disabledsystemuser6708&login=Log+in&os_destination=%2Fhttpvoid.action”
- This POST request will provide a login to the confluence server or data center.
POST /dologin.action HTTP/1.1
- Atlassian Bamboo Server and Data Center Versions < 7.2.9, 8.0.x < 8.0.9, 8.1.x < 8.1.8, 8.2.x < 8.2.4
- Atlassian Bitbucket Server and Data Center Versions < 7.6.16, All versions 7.7.x through 7.16.x, 7.17.x < 7.17.8, All versions 7.18.x, 7.19.x < 7.19.5, 7.20.x < 7.20.2, 7.21.x < 7.21.2, 8.0.0 8.1.0
- Atlassian Confluence Server and Data Center Versions < 7.4.17, All versions 7.5.x through 7.12.x, 7.13.x < 7.13.7, 7.14.x < 7.14.3, 7.15.x < 7.15.2, 7.16.x < 7.16.4, 7.17.x < 7.17.4, 7.18.0
- Atlassian Crowd Server and Data Center Versions < 4.3.8, 4.4.x < 4.4.2, 5.0.0
- Atlassian Crucible Versions < 4.8.10
- Atlassian Fisheye Versions < 4.8.10
- Atlassian Jira Server and Data Center Versions < 8.13.22, All versions 8.14.x through 8.19.x, 8.20.x < 8.20.10, All versions 8.21.x, 8.22.x < 8.22.4
Note: 8.22.4 is not affected, but it contains a security bug unrelated to this CVE.
- Atlassian Jira Service Management Server and Data Center Versions < 4.13.22, All versions 4.14.x through 4.19.x, 4.20.x < 4.20.10, All versions 4.21.x, 4.22.x < 4.22.4
- Questions for Confluence App 2.7.34, 2.7.35, 3.0.2 for Confluence Server and Confluence Data Center
- Atlassian Bamboo Server and Data Center 7.2.x >= 7.2.9, 8.0.x >= 8.0.9, 8.1.x >= 8.1.8, 8.2.x >= 8.2.4, Versions >= 9.0.0
- Atlassian Bitbucket Server and Data Center 7.6.x >= 7.6.16 (LTS), 7.17.x >= 7.17.8 (LTS), 7.19.x >= 7.19.5, 7.20.x >= 7.20.2, 7.21.x >= 7.21.2 (LTS), 8.0.x >= 8.0.1, 8.1.x >= 8.1.1, Versions >= 8.2.0
- Atlassian Confluence Server and Data Center 7.4.x >= 7.4.17 (LTS), 7.13.x >= 7.13.7 (LTS), 7.14.x >= 7.14.3, 7.15.x >= 7.15.2, 7.16.x >= 7.16.4, 7.17.x >= 7.17.4, 7.18.x >= 7.18.1
- Atlassian Crowd Server and Data Center 4.3.x >= 4.3.8, 4.4.x >= 4.4.2, Versions >= 5.0.1, Atlassian Crucible, Versions >= 4.8.10, Atlassian Fisheye, Versions >= 4.8.10
- Atlassian Jira Server and Data Center 8.13.x >= 8.13.22 (LTS), 8.20.x >= 8.20.10 (LTS), 8.22.x >= 8.22.4, Versions >= 9.0.0
- Atlassian Jira Service Management Server and Data Center 4.13.x >= 4.13.22 (LTS), 4.20.x >= 4.20.10 (LTS), 4.22.x >= 4.22.4, Versions >= 5.0.0
Note: 4.22.5 contains a security vulnerability, so upgrade to 4.22.6
- Solution 1:
- Upgrade to Questions for Confluence App>= 2.7.38 (requires Confluence 6.13.18 through 7.16.2) or >= 3.0.5 (requires Confluence 7.16.3 and later).
Uninstalling Questions for Confluence app will not fix this issue. After the app is uninstalled, the disabledsystemuser account is not automatically deleted.
- Solution 2:
- Delete or disable “disabledsystemuser” account