Atlassian Security Updates Include Fix for Hard-Coded Password Issue
Atlassian’s security advisories for July 2022 include fixes for a hard-coded password vulnerability affecting the Questions for Confluence app for Confluence Server and Data Center. The app installs a user account, “disabledsystemuser,” that admins can use to migrate data to the Confluence Cloud. Atlassian notes that “a remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the confluence-users group has access to.” Users are urged to update to Questions for Confluence versions 2.7.38 and 3.0.5. Users can also disable or delete the account. A second advisory addresses multiple servlet filter vulnerabilities in eight of its products.
Not just for the hardcoded password, these vulnerabilities are serious and need to be applied expeditiously. These Atlassian products are often central to organization's software development process and a compromise could endanger this software.
When a physical substance (asbestos, lead, Red Dye #2, etc.)is found to be poisonous or dangerous, society can move pretty quickly to ban it. But, bad habits (eating too much fat/sugar salt, leaving the keys in the ignition, buffer overflows in code, hard coded passwords in apps, etc.) are much harder to eliminate. Every modern app testing tool detects the worst software coding/app security mistakes – require all software suppliers to show evidence of having run such tools or to be part of programs such as Veracode Verified, where the app test software vendor does it for them.
Atlassian included this account to aid cloud migration, and while considerate, including either hard coded credentials or authorization keys has repeatedly been found to be a source of exploitation. Make sure that your Atlassian products don't include the disabledsystemuser account, delete it if found, creating fresh credentials for migration only for the duration of the project if you elect to migrate. Add checking for (and removing) disabled accounts "out of the box" right next to changing default passwords in your software installation/update process.
Read more in
Atlassian: July 2022: Atlassian Security Advisories Overview
The Register: Atlassian reveals critical flaws in almost everything it makes and touches
Bleeping Computer: Atlassian fixes critical Confluence hardcoded credentials flaw
The Hacker News: Atlassian Rolls Out Security Patch for Critical Confluence Vulnerability