A important Atlassian Confluence vulnerability that was disclosed final week is now being actively exploited within the wild, researchers are warning.
In accordance with researchers at Rapid7, the bug in query (CVE-2022-26138, one in all three patched final week) is because of a hardcoded password within the Questions for Confluence app, which might enable cyberattackers to achieve full entry to information throughout the on-premises Confluence Server and Confluence Knowledge Heart platforms.
Extra particularly, as soon as put in, the Questions for Confluence app will “create a consumer account with a hard-coded password and add the account to a consumer group, which permits entry to all nonrestricted pages in Confluence,” based on Rapid7’s posting. “This simply permits a distant, unauthenticated attacker to browse a corporation’s Confluence occasion.”
The stakes are excessive. Many organizations use Confluence for venture administration and collaboration amongst groups scattered throughout on-premises and distant areas. Usually Confluence environments can home delicate information on initiatives that a corporation is likely to be engaged on, or home it on its prospects and companions.
Organizations are urged to patch rapidly as a result of the password was made public final week, prompting emergency motion by Atlassian. Confluence is sadly a preferred goal for attackers, as evidenced by the lively exploitation of the bug tracked as CVE-2022-26134 in June, used to unfold ransomware.
Admins ought to word: The bug solely exists when the Questions for Confluence app is enabled, and it doesn’t influence the Confluence Cloud occasion. Nonetheless, crucially, “uninstalling the Questions for Confluence app doesn’t remediate this vulnerability,” based on Atlassian’s advisory final week.
“Confluence has had no scarcity of headlines,” Rick Holland, CISO at Digital Shadows, stated by way of electronic mail. “Hardcoded passwords considerably enhance the chance of exploitation, particularly when the passwords develop into extensively shared. In the event you play soccer, hardcoded passwords are ‘personal objectives.’ Adversaries rating sufficient objectives alone; we need not put the ball in our personal web. By no means use hardcoded passwords; take the time to arrange correct authentication and reduce future dangers.”
