Dive Brief:
- Threat actors are likely exploiting a critical vulnerability that surfaced in a pair of Confluence support apps after a hardcoded default password was leaked, Atlassian warned customers in an advisory update on Thursday.
- The culprit, a default password for admin control on Atlassian’s Questions for Confluence app, allows attackers to gain access to unpatched servers. Atlassian released a patch for the vulnerability and advised all organizations running affected Confluence systems to update the app, disable or delete the default “disabledsystemuser” admin account.
- The Cybersecurity and Infrastructure Security Agency Friday issued an advisory to alert customers to the latest vulnerability impacting Confluence. “An attacker could exploit this vulnerability to obtain sensitive information,” the agency said.
Dive Insight:
This marks the second critical vulnerability in Atlassian’s Confluence Server and Data Center products in as many months. The company released a security update in early June to patch a critical zero-day vulnerability that attackers could exploit without the need for authentication.
Questions for Confluence, a support app that has been downloaded more than 8,000 times, automatically creates the default username and password to help administrators migrate data from the app to Confluence Cloud.
Atlassian said an outside party discovered and leaked the hardcoded default password for admin control on Twitter.
The hardcoded password linked to the admin account is added to the confluence-users group upon install, allowing full control over non-restricted pages within Confluence by default, according to Atlassian.
Organizations that previously installed and uninstalled the support app remain vulnerable because the default username and password are added directly to Confluence Server or Data Center. Those admin controls must be manually deleted or disabled, or removed by installing an updated version of the Questions for Confluence app.
Atlassian also encourages customers to search for evidence of exploitation by obtaining a list of users’ logon times. If no authentication time for “disabledsystemuser” is found, the account still exists but has yet to be compromised, the company said.