• On July 20, 2022 Atlassian published two Critical Severity security advisories for three unique CVEs: Questions For Confluence hardcoded username and password (CVE-2022-26138) and Multiple Servlet Vulnerabilities (CVE-2022-26136, CVE-2022-26137).
  • These affect Confluence Server and Data Center, but only a specific application, Questions for Confluence. 
  • These vulnerabilities do not impact Atlassian Cloud products. 
  • We believe that these vulnerabilities (XSS/CORS bypass) will not directly result in remote code execution (RCE). The likeliest candidate is the hard-coded password (CVE-2022-26138), but it requires that a malicious/backdoor binary be loaded via Confluence.
  • We have not seen the vulnerabilities exploited in our customers' environments at this point and no IOCs have been reported by the community as of July 21, 2022
  • Expel reviewed recent exploit repositories on July 21, 2022 and has not seen exploit code tied to these specific CVE’s. That said there are other exploits of recent Confluence vulnerabilities, which could be repurposed for these exploits.  

The details:

Questions for Confluence

From Atlassian: 

When the Questions for Confluence app is enabled on Confluence Server or Data Center, it creates a Confluence user account with the username disabledsystemuser. This account is intended to aid administrators that are migrating data from the app to Confluence Cloud. The disabledsystemuser account is created with a hardcoded password and is added to the confluence-users group, which allows viewing and editing all non-restricted pages within Confluence by default. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the confluence-users group has access to.

While Atlassian has not received any reports of this issue being exploited in the wild, the hardcoded password is trivial to obtain after downloading and reviewing affected versions of the app.

Multiple Servlet Vulnerabilities

From Atlassian:

A Servlet Filter is Java code that intercepts and processes HTTP requests before a client request is sent to a back end resource. They’re also used to intercept and process HTTP responses from a back end resource before they’re sent to a client. Some Servlet Filters provide security mechanisms such as logging, auditing, authentication, or authorization.

The following attacks have been confirmed by Atlassian as possible:

  • Authentication bypass. Sending a specially crafted HTTP request can bypass custom Servlet Filters used by third party apps to enforce authentication. A remote, unauthenticated attacker can exploit this to bypass authentication used by third party apps. Please note Atlassian has confirmed this attack is possible, but has not determined a list of all affected apps.
  • Cross-site scripting (XSS). Sending a specially crafted HTTP request can bypass the Servlet Filter used to validate legitimate Atlassian Gadgets, which can result in cross-site scripting (XSS). An attacker that can trick a user into requesting a malicious URL can execute arbitrary Javascript in the user’s browser.
  • Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions.

Why we are telling you:

  • These vulnerabilities require immediate configuration changes to mitigate, such as disabling or removing the disabledsystemuser account.
  • See the details in the “Immediate recommendations” on affected versions and patching.
  • It's not always easy to deploy EDR technology to servers, so this activity could be in a part of the network that doesn't have good visibility for monitoring.
  • Investigating the activity involves running queries on the server hosting the Questions for Confluence application.

Immediate recommendations:

Questions for Confluence

  • From Atlassian: To determine if anyone has successfully logged in to the disabledsystemuser account, refer to this document which provides instructions on how to get a list of users' last logon times. If the last authentication time for disabledsystemuser is null, that means the account exists but no one has ever logged into it.

Multiple Servlet Vulnerabilities

  • Refer to the security advisory from Atlassian to identify if your version of the various vulnerable applications are affected or fixed. 

Strategic recommendations:

The following are strategic recommendations that could be applied to address these types of issues in the future:

  • Any Internet/public facing Confluence web servers should be placed behind an SSO solution or Federated Identity Management solution.
  • Consider blocking on-prem Confluence servers from the Internet and only limiting access to these servers through client VPN.
  • Place critical systems with applications, such as Confluence on a critical asset list, so they are scanned and/or patched on a more frequent basis.

What Expel is doing:

We are continuing to monitor this situation, and will notify you as soon as possible if we find any indication this has impacted you directly.

  • Determine new behavioral detection opportunities associated with this attack and reviewing threat intel sources.
  • Reviewed all ingested vendor alerts for the past 30 days for known IOCs.
  • Monitored open source reporting for additional updates.
  • Expel examined this threat to see what detection and hunting logic we can apply to detect this activity with acceptable fidelity.
  • We recommend implementing the applicable patches and updates when appropriate and able.

More Info/ References: