CVE-2022-26138
📋 TL;DR
The Atlassian Questions For Confluence app creates a default user account with a hardcoded password, allowing remote unauthenticated attackers to log in and access all content available to the confluence-users group. This affects Confluence Server and Data Center installations with specific vulnerable app versions. Organizations using affected versions are at immediate risk of unauthorized data access.
💻 Affected Systems
- Atlassian Questions For Confluence app
- Confluence Server
- Confluence Data Center
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all Confluence content accessible to confluence-users group, including sensitive documents, internal communications, and potentially privileged information.
Likely Case
Unauthorized access to internal documentation, project plans, and confidential business information stored in Confluence.
If Mitigated
Limited impact if network segmentation prevents external access and monitoring detects unusual login attempts.
🎯 Exploit Status
Exploitation requires only knowledge of the hardcoded password and network access to Confluence. CISA has added this to its Known Exploited Vulnerabilities catalog.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Questions For Confluence app version 3.0.3 or later
Vendor Advisory: https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html
Restart Required: Yes
Instructions:
1. Update Questions For Confluence app to version 3.0.3 or later via Confluence administration interface. 2. Restart Confluence service. 3. Verify the disabledsystemuser account has been removed or disabled.
🔧 Temporary Workarounds
Remove vulnerable user account
allManually delete or disable the disabledsystemuser account in Confluence user management
Navigate to Confluence Admin > User Management > Search for 'disabledsystemuser' > Delete or disable account
Network isolation
allRestrict network access to Confluence instances to trusted IP ranges only
Configure firewall rules to allow only authorized IP addresses to access Confluence ports (typically 8090, 8443)
🧯 If You Can't Patch
- Immediately disable or delete the disabledsystemuser account via Confluence user management
- Implement strict network access controls to limit Confluence access to authorized users only
🔍 How to Verify
Check if Vulnerable:
Check Confluence administration interface for Questions For Confluence app version 2.7.34, 2.7.35, or 3.0.2, and verify if disabledsystemuser account exists in user management.Check Version:
Check via Confluence Admin > Manage apps > Questions For Confluence > VersionVerify Fix Applied:
Confirm Questions For Confluence app is version 3.0.3 or later, and verify disabledsystemuser account no longer exists or is disabled.📡 Detection & Monitoring
Log Indicators:
- Failed login attempts for disabledsystemuser
- Successful login events for disabledsystemuser
- Unusual access patterns from new IP addresses
Network Indicators:
- Authentication requests to Confluence login endpoint for disabledsystemuser
- Unusual traffic patterns to Confluence from external sources
SIEM Query:
source="confluence.log" AND ("disabledsystemuser" OR "failed login" OR "successful login")🔗 References
- https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html
- https://jira.atlassian.com/browse/CONFSERVER-79483
- https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html
- https://jira.atlassian.com/browse/CONFSERVER-79483
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26138
