Atlassian’s Convergence server wiki software and Data Center wiki software are weak. The developers assure that Confluence Cloud is not affected by the vulnerability.
However, systems are only vulnerable if the Confluence App Q&A app is installed. If this is the case, the app for Confluence Server and Data Center automatically creates an account with the username ‘System Canceled’. A default password is set when it is generated, which attackers can obtain with relatively little effort.
Equipped with this, they can access all unrestricted wiki pages by default. In a warning, the developers classify the vulnerability (CVE-2022-26138) as “criticalA. Atlassian confirmed that they have not detected any attacks yet.
Administrators should check their Confluence installations to see if there is an account with the following data:
- User: disable the system
- Username: disable the system
- Email: [email protected]
If so, they should act. Confluence Question versions 2.7.34, 2.7.35 and 3.0.2 are particularly affected.
Uninstalling the app does not solve the security issue because the account remains. To secure systems, administrators need to fix Issue 7/2/38 or 3.0.5 to install. Alternatively, you can deactivate or remove the account.
By looking at the list of registered users, one can check if the attackers have already exploited the vulnerability. The developers describe how this works in an article.
Lifelong foodaholic. Professional twitter expert. Organizer. Award-winning internet geek. Coffee advocate.