
Critical vulnerabilities affect almost all Atlassian applications - updates urgently needed
by Tina Siering

The reports about critical security vulnerabilities in Atlassian products do not stop. The Australian software company is currently warning about three serious vulnerabilities in numerous of its applications and services.
Attackers can exploit the current vulnerabilities, CVE-2022-26136 and CVE-2022-26137, to bypass authentication used in third-party applications, execute arbitrary JavaScript code and bypass the browser mechanism CORS (Cross-Origin Resource Sharing) through a specially crafted HTTP request.
The vendor has already released updates and strongly advises installing the latest software version to close the vulnerabilities. Virtually all Atlassian solutions are affected by the two vulnerabilities mentioned above:
- Bamboo
- Bitbucket
- Confluence
- Crowd
- Crucible
- Fisheye
- Jira
Another vulnerability, named CVE-2022-26138, affects the Atlassian app "Questions For Confluence": when the app is activated on the Confluence Server or Data Center, it automatically creates a Confluence user account with the username "disabledsystemuser".
This account is actually intended to help administrators migrate data between the app and the Confluence Cloud. The problem: The "disabledsystemuser" account has a hardcoded password that has already been published on Twitter. Attackers with knowledge of the password can log into Confluence and access all pages that the confluence-users user group has access to.
Confluence versions 2.7.34, 2.7.35, and 3.0.2 are affected by this vulnerability, and patches are available in versions 2.7.38 and 3.0.5. Again, the vendor software update should be installed immediately.
Option:
If this is not possible in a timely manner, it is recommended to delete or deactivate the account "disabledsystemuser" in the meantime until the software update is performed.
To check whether the user "disabledsystemuser" has already been used in the past, please follow the link below: https://confluence.atlassian.com/confkb/how-to-get-a-list-of-users-with-their-last-logon-times-985499701.html
The user has certainly not been used if "Last authentication time" is Null.
Allgeier secion customers with an active managed service contract for ACD will of course be informed immediately about malicious communication on their systems, currently we are actively checking for the IoCs in all affected Atlassian products.
Conclusion
The number of vulnerabilities is continuously increasing and found its all-time record with 18,378 reported gaps in 2021. When it comes to vulnerability threats, time is of the essence. If a vulnerability is exploited by criminals and an attack is discovered too late, it may have already caused widespread damage. With Allgeier secion's Active Cyber Defense Service (ACD), you no longer need a SOC, SIEM or forensics: when using the "Managed Detection and Response solution (MDR)", your network is scanned end-to-end. The IT security experts of the ACD team warn you immediately as soon as anomalies are registered in the network and action is required - and not only after the risky average period of 6 months. This minimizes the critical time between the failure of protection tools and the deployment of the response. ACD relieves your IT security team and can be booked as a managed service at a fixed monthly price.