{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2022-052.pdf"
    },
    "title": "UPDATE: Critical Vulnerability in Questions for Confluence",
    "serial_number": "2022-052",
    "publish_date": "02-08-2022 12:45:00",
    "description": "On July 20th, Atlassian released a security advisory to address a critical vulnerability that affects the Questions for Confluence app. Having the app enabled on Confluence Server or Data Center, it creates the Confluence user account \"disabledsystemuser\". The account is is intended to aid administrators, and it is created with a hardcoded password and is added to the \"confluence-users\" group, which allows viewing and editing all non-restricted pages within Confluence by default. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the \"confluence-users\" group has access to.<br><br>[UPDATE] The \"disabledsystemuser\" account is configured with a third party email address that is not controlled by Atlassian, meaning that an affected instance configured to send notifications, will e-mail that address and potentially disclosing information.<br><br>The hardcoded password was publicly disclosed by an external party in Twitter on July 21st, which makes the exploitation in the wild highly likely, therefore immediate update to a patched version is highly recommended.",
    "url_title": "2022-052",
    "content_markdown": "---\ntitle: 'Critical Vulnerability in\u00a0_Questions\u00a0for\u00a0Confluence_'\nversion: '1.1'\nnumber: '2022-052'\noriginal_date: 'July 20, 2022'\ndate: 'August 01, 2022'\n---\n\n_History:_\n\n* _22/07/2022 --- v1.0 -- Initial publication_\n* _01/08/2022 --- v1.1 -- Update on information disclosure to third party and how to detect it_\n\n# Summary\n\nOn July 20th, Atlassian released a security advisory to address a critical vulnerability that affects the _Questions for Confluence_ app [1]. Having the app enabled on Confluence Server or Data Center, it creates the Confluence user account `disabledsystemuser`. The account is is intended to aid administrators, and it is created with a hardcoded password and is added to the `confluence-users` group, which allows viewing and editing all non-restricted pages within Confluence by default [2]. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the `confluence-users` group has access to.\n\n[UPDATE] The `disabledsystemuser` account is configured with a third party email address that is not controlled by Atlassian, meaning that an affected instance configured to send notifications [3], will e-mail that address and potentially disclosing information.\n\nThe hardcoded password was publicly disclosed by an external party in Twitter [4] on July 21st, which makes the exploitation in the wild highly likely, therefore immediate update to a patched version is highly recommended.\n\n# Technical Details\n\n## How to Determine if You Are Affected\n\nAdmins who want to determine if their Confluence Server or Data Center instance is affected, have to check for an active user account with the following information:\n\n- User: `disabledsystemuser`\n- Username: `disabledsystemuser`\n- Email: `dontdeletethisuser@email.com`\n\nIf the account is not in the list of active users, the Confluence instance is not affected.\n\nPlease note, it is possible for this account to exist even if the _Questions for Confluence_ app has been previously installed and uninstalled.\n\n## How to Look for Evidence of Exploitation\n\nTo determine if the vulnerability has been exploited, you can consult Confluence documentation on how to get a list of users with their last logon times. If the last authentication time for `disabledsystemuser` is `null`, that means the account exists, but no one has ever logged into it.\n\nPlease find the link to the documentation at the bottom of the page [5].\n\n## [UPDATE] How To Look For Evidence of Information Disclosure Via Email\n\nIn order to determine if Confluence has sent e-mail notifications to third party e-mails, Atlassian suggests to review the logs of the SMTP server configured to send outbound mail from Confluence [6] and identify any messages sent to the `dontdeletethisuser@email.com` address.\n\n# Affected Products\n\nThe following products are affected by the vulnerability:\n\n- Questions for Confluence 2.7.x - versions 2.7.34, 2.7.35\n- Questions for Confluence 3.0.2 - version 3.0.2\n\nPlease be aware that these are the versions of the app that create the `disabledsystemuser` user with a hardcoded password, however, Confluence installations that do not actively have any of these versions of the app installed may still be affected. \n\nRefer to the [How to Determine if You Are Affected] section above for more information.\n\n# Recommendations\n\nThe following two options have been provided to address the flaw:\n\n- **Update to a non-vulnerable version of Questions for Confluence:**\n    - For versions 2.7.x, update to 2.7.38 or higher.\n    - Version 3.0.5 or higher.\n- **Disable or delete the disabledsystemuser account.**\n\nPlease note that uninstalling the _Questions for Confluence_ app does not remediate this vulnerability, as the `disabledsystemuser` account does not automatically get removed after the app has been uninstalled. \n\n\n# References\n\n[1] <https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html>\n\n[2] <https://confluence.atlassian.com/doc/confluence-groups-139478.html>\n\n[3] <https://confluence.atlassian.com/doc/email-notifications-145162.html>\n\n[4] <https://twitter.com/fluepke/status/1549892089181257729>\n\n[5] <https://confluence.atlassian.com/confkb/how-to-get-a-list-of-users-with-their-last-logon-times-985499701.html>\n\n[6] <https://confluence.atlassian.com/doc/configuring-a-server-for-outgoing-mail-151078.html>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>22/07/2022 --- v1.0 -- Initial publication</em></li><li><em>01/08/2022 --- v1.1 -- Update on information disclosure to third party and how to detect it</em></li></ul><h2 id=\"summary\">Summary</h2><p>On July 20th, Atlassian released a security advisory to address a critical vulnerability that affects the <em>Questions for Confluence</em> app [1]. Having the app enabled on Confluence Server or Data Center, it creates the Confluence user account <code>disabledsystemuser</code>. The account is is intended to aid administrators, and it is created with a hardcoded password and is added to the <code>confluence-users</code> group, which allows viewing and editing all non-restricted pages within Confluence by default [2]. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the <code>confluence-users</code> group has access to.</p><p>[UPDATE] The <code>disabledsystemuser</code> account is configured with a third party email address that is not controlled by Atlassian, meaning that an affected instance configured to send notifications [3], will e-mail that address and potentially disclosing information.</p><p>The hardcoded password was publicly disclosed by an external party in Twitter [4] on July 21st, which makes the exploitation in the wild highly likely, therefore immediate update to a patched version is highly recommended.</p><h2 id=\"technical-details\">Technical Details</h2><h3 id=\"how-to-determine-if-you-are-affected\">How to Determine if You Are Affected</h3><p>Admins who want to determine if their Confluence Server or Data Center instance is affected, have to check for an active user account with the following information:</p><ul><li>User: <code>disabledsystemuser</code></li><li>Username: <code>disabledsystemuser</code></li><li>Email: <code>dontdeletethisuser@email.com</code></li></ul><p>If the account is not in the list of active users, the Confluence instance is not affected.</p><p>Please note, it is possible for this account to exist even if the <em>Questions for Confluence</em> app has been previously installed and uninstalled.</p><h3 id=\"how-to-look-for-evidence-of-exploitation\">How to Look for Evidence of Exploitation</h3><p>To determine if the vulnerability has been exploited, you can consult Confluence documentation on how to get a list of users with their last logon times. If the last authentication time for <code>disabledsystemuser</code> is <code>null</code>, that means the account exists, but no one has ever logged into it.</p><p>Please find the link to the documentation at the bottom of the page [5].</p><h3 id=\"update-how-to-look-for-evidence-of-information-disclosure-via-email\">[UPDATE] How To Look For Evidence of Information Disclosure Via Email</h3><p>In order to determine if Confluence has sent e-mail notifications to third party e-mails, Atlassian suggests to review the logs of the SMTP server configured to send outbound mail from Confluence [6] and identify any messages sent to the <code>dontdeletethisuser@email.com</code> address.</p><h2 id=\"affected-products\">Affected Products</h2><p>The following products are affected by the vulnerability:</p><ul><li>Questions for Confluence 2.7.x - versions 2.7.34, 2.7.35</li><li>Questions for Confluence 3.0.2 - version 3.0.2</li></ul><p>Please be aware that these are the versions of the app that create the <code>disabledsystemuser</code> user with a hardcoded password, however, Confluence installations that do not actively have any of these versions of the app installed may still be affected. </p><p>Refer to the [How to Determine if You Are Affected] section above for more information.</p><h2 id=\"recommendations\">Recommendations</h2><p>The following two options have been provided to address the flaw:</p><ul><li><strong>Update to a non-vulnerable version of Questions for Confluence:</strong><ul><li>For versions 2.7.x, update to 2.7.38 or higher.</li><li>Version 3.0.5 or higher.</li></ul></li><li><strong>Disable or delete the disabledsystemuser account.</strong></li></ul><p>Please note that uninstalling the <em>Questions for Confluence</em> app does not remediate this vulnerability, as the <code>disabledsystemuser</code> account does not automatically get removed after the app has been uninstalled. </p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html\">https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://confluence.atlassian.com/doc/confluence-groups-139478.html\">https://confluence.atlassian.com/doc/confluence-groups-139478.html</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://confluence.atlassian.com/doc/email-notifications-145162.html\">https://confluence.atlassian.com/doc/email-notifications-145162.html</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://twitter.com/fluepke/status/1549892089181257729\">https://twitter.com/fluepke/status/1549892089181257729</a></p><p>[5] <a rel=\"noopener\" target=\"_blank\" href=\"https://confluence.atlassian.com/confkb/how-to-get-a-list-of-users-with-their-last-logon-times-985499701.html\">https://confluence.atlassian.com/confkb/how-to-get-a-list-of-users-with-their-last-logon-times-985499701.html</a></p><p>[6] <a rel=\"noopener\" target=\"_blank\" href=\"https://confluence.atlassian.com/doc/configuring-a-server-for-outgoing-mail-151078.html\">https://confluence.atlassian.com/doc/configuring-a-server-for-outgoing-mail-151078.html</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}