Questions For Confluence App - Hardcoded Password

(i) Update: This advisory has been updated since its original publication.

2022/08/01 12:00 PM PDT (Pacific Time, -7 hours)

• {color:#172b4d}Updated the Remediation section to note that if the {{disabledsystemuser}} account is manually deleted, the app must also be updated or uninstalled to ensure the account does not get recreated{color}

2022/08/01 11:00 AM PDT (Pacific Time, -7 hours)

• Updated the Summary of Vulnerability section to note the email service provider for the {{[email protected]}} account has confirmed the account has been blocked

2022/07/30 1:15 PM PDT (Pacific Time, -7 hours)

• Updated the Summary of Vulnerability section to note that instances that have not remediated this vulnerability per the Remediation section below may send email notifications from Confluence to a third party email address
• Additional details are available in [Confluence Security Advisory 2022-07-20|https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html]

2022/07/22 9:30 AM PDT (Pacific Time, -7 hours)

• Updated the Remediation section to explain only option 2 can be used for Confluence Server and Data Center instances configured to use a read-only external directory
• Added a link to a page of frequently asked questions about CVE-2022-26138

2022/07/21 8:30 AM PDT (Pacific Time, -7 hours)

• An external party has discovered and publicly disclosed the hardcoded password on Twitter. It is important to remediate this vulnerability on affected systems immediately.
• The Vulnerability Summary section has been updated to include this new information

h3. Vulnerability Summary

When the [Questions for Confluence app|https://marketplace.atlassian.com/apps/1211644/questions-for-confluence?hosting=server&tab=overview] is enabled on Confluence Server or Data Center, it creates a Confluence user account with the username {{{}disabledsystemuser{}}}. This account is intended to aid administrators that are migrating data from the app to Confluence Cloud. The {{disabledsystemuser}} account is created with a hardcoded password and is added to the {{confluence-users}} group, which allows viewing and editing all non-restricted pages within Confluence [by default|https://confluence.atlassian.com/doc/confluence-groups-139478.html]. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence.

The {{disabledsystemuser}} account is configured with a third party email address ({{{}[email protected]{}}}) that is not controlled by Atlassian. If this vulnerability has not been remediated per the Fixes section below, an affected instance configured to send [notifications|https://confluence.atlassian.com/doc/email-notifications-145162.html] will email that address. One example of an email notification is [Recommended Updates Notifications|https://confluence.atlassian.com/doc/configuring-the-recommended-updates-email-notification-281480712.html], which contains a report of the top pages from Confluence spaces the user has permissions to view. mail.com, the free email provider that manages the {{[email protected]}} account, has confirmed to Atlassian that the account has been blocked. This means it cannot be accessed by anyone unauthorized and cannot send or receive any new messages.

(!) An external party has discovered and publicly disclosed the hardcoded password on Twitter. Refer to the Remediation section below for guidance on how to remediate this vulnerability.
h3. How To Determine If You Are Affected

A Confluence Server or Data Center instance is affected if it has an active user account with the following information:

• User: {{disabledsystemuser}}
• Username: {{disabledsystemuser}}
• Email: {{[email protected]}}

If this account does not show up in the list of active users, the Confluence instance is not affected.
h3. Remediation

(!) Uninstalling the Questions for Confluence app does not remediate this vulnerability. The {{disabledsystemuser}} account does not automatically get removed after the app has been uninstalled. If you have verified a Confluence Server or Data Center instance is affected, two equally effective ways to remediate this vulnerability are listed below. (!)
h4. Option 1: Update to a non-vulnerable version of Questions for Confluence

Update the Questions for Confluence app to a fixed version:

• 2.7.x >= 2.7.38
• Versions >= 3.0.5

For more information on how to update an app, refer to [Atlassian’s documentation|https://confluence.atlassian.com/upm/updating-apps-273875710.html].

Fixed versions of the Questions for Confluence app stop creating the {{disabledsystemuser}} user account, and remove it from the system if it has already been created. Migrating data from the app to Confluence Cloud is now a manual process.

(!) If Confluence is configured to use a read-only external directory (e.g. Atlassian Crowd), you will need to follow Option 2 below.
h4. Option 2: Disable or delete the {{disabledsystemuser}} account

Search for the {{disabledsystemuser}} account and either disable it or delete it. For instructions on how to disable or delete an account (including an explanation of the differences between the two options), refer to [Atlassian’s documentation|https://confluence.atlassian.com/doc/delete-or-disable-users-138318.html].

If you choose to delete the {{disabledsystemuser}} account, you must also [uninstall|https://confluence.atlassian.com/upm/uninstalling-apps-273875709.html] or upgrade the Questions for Confluence app to a non-vulnerable version. Failure to do this could result in the account being recreated after it has been deleted.

If Confluence is configured to use a read-only external directory, refer to the [Delete from a read-only external directory, or multiple external directories section|https://confluence.atlassian.com/doc/delete-or-disable-users-138318.html#DeleteorDisableUsers-Deletefromaread-onlyexternaldirectory,ormultipleexternaldirectories] from the same document
h3. Frequently Asked Questions

We’ll update the [FAQ for CVE-2022-26138|https://confluence.atlassian.com/kb/faq-for-cve-2022-26138-1141988423.html] with answers for commonly asked questions.
h3. Security Advisory

For additional details, refer to [Confluence Security Advisory 2022-07-20|https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html].