A important Atlassian Confluence vulnerability that was disclosed final week is now being actively exploited within the wild, researchers are warning.
In line with researchers at Rapid7, the bug in query (CVE-2022-26138, one in all three patched final week) is because of a hardcoded password within the Questions for Confluence app, which might enable cyberattackers to achieve full entry to information throughout the on-premises Confluence Server and Confluence Knowledge Middle platforms.
Extra particularly, as soon as put in, the Questions for Confluence app will “create a consumer account with a hard-coded password and add the account to a consumer group, which permits entry to all nonrestricted pages in Confluence,” in response to Rapid7’s posting. “This simply permits a distant, unauthenticated attacker to browse a corporation’s Confluence occasion.”
The stakes are excessive. Many organizations use Confluence for venture administration and collaboration amongst groups scattered throughout on-premises and distant places. Typically Confluence environments can home delicate information on initiatives that a corporation is perhaps engaged on, or home it on its prospects and companions.
Organizations are urged to patch shortly as a result of the password was made public final week, prompting emergency motion by Atlassian. Confluence is sadly a well-liked goal for attackers, as evidenced by the energetic exploitation of the bug tracked as CVE-2022-26134 in June, used to unfold ransomware.
Admins ought to be aware: The bug solely exists when the Questions for Confluence app is enabled, and it doesn’t impression the Confluence Cloud occasion. Nonetheless, crucially, “uninstalling the Questions for Confluence app doesn’t remediate this vulnerability,” in response to Atlassian’s advisory final week.
“Confluence has had no scarcity of headlines,” Rick Holland, CISO at Digital Shadows, mentioned by way of electronic mail. “Hardcoded passwords considerably enhance the probability of exploitation, particularly when the passwords turn out to be extensively shared. If you happen to play soccer, hardcoded passwords are ‘personal objectives.’ Adversaries rating sufficient objectives alone; we needn’t put the ball in our personal internet. By no means use hardcoded passwords; take the time to arrange correct authentication and decrease future dangers.”