• Home
  • |
  • Blog
  • |
  • How To Fix CVE-2022-26138- A Critical Disabledsystemuser Password Leak Vulnerability In Confluence Server And Data Center
How to Fix CVE-2022-26138- A Critical Disabledsystemuser Password Leak Vulnerability in Confluence Server and Data Center

Australian software company Atlassian warned users to immediately patch a critical vulnerability, CVE-2022-26138, providing remote hackers with hardcoded credentials to log into unpatched Confluence Server and Data Centers. This issue is likely to be exploited in the wild that the hardcoded password is publicly known. The warning is necessary because attacks equipped with this knowledge could leverage it to lob into vulnerable Confluence servers. There is a need to fix the issue; therefore, this article will highlight How to Fix CVE-2022-26138- A Critical Disabledsystemuser Password Leak Vulnerability in Confluence Server and Data Center.

What Is Confluence Server And Data Center?

Confluence Server and Data Center are versions of Confluence designed for large organizations. Confluence Server is deployed on-premises, while Confluence Data Center is deployed in the cloud. Both versions offer high availability and performance at scale. Confluence Server and Data Center offer a number of features not available in the Confluence Cloud version, including:

  1. Granular permissions: Confluence Server and Data Center allow you to set up granular permissions, so you can control who has access to what information.
  2. Active Directory integration: Confluence Server and Data Center can be integrated with Active Directory, making it easy to manage user accounts and permissions.
  3. Backup and restore: Confluence Server and Data Center include built-in backup and restore capabilities, so you can always revert to a previous version if something goes wrong.
  4. Single sign-on: Confluence Server and Data Center support single sign-on (SSO), so users only have to remember one set of credentials to access Confluence and other applications.

If you’re looking for an enterprise-grade Confluence solution, Confluence Server or Data Center is the way to go.

Summary Of CVE-2022-26138:

The vulnerability is an access leak vulnerability. The flaw is due to the leak of a hardcoded password of a service account ‘disabledsystemuser’ (used to transfer the data between the Questions for Confluence app and the Confluence Cloud) in the Confluence Server and Data Center. 

The issue is being tracked as CVE-2022-26138 and assigned a severity of critical. Let’s see some technical information about the vulnerability and how to fix the CVE-2022-26138 vulnerability in the coming sessions.

The service account ‘disabledsystemuser’ will get created and added to the confluence-users group when a user enables the Questions for Confluence app on a Confluence Server or Data Center. The actual problem is the password of the account. The app will create a common default password for all the users and place it in the code. When the password gets leaked on the global platform, any remote user can utilize this as an opportunity to log in to the Confluence Server and Data Center, and access any pages the confluence-users group has access to.

Unfortunately, the advisory says, “An external party has discovered and publicly disclosed the hardcoded password on Twitter.” So, now this made the issue critical and forced the users of Confluence Server, Data Center, and Confluence cloud to fix the CVE-2022-26138 vulnerability.

Confluence Server And Data Center Versions Affected By CVE-2022-26134:

Here are the versions of the application affected by the CVE-2022-26138- A Critical Disabledsystemuser Password Leak Vulnerability in Confluence Server and Data Center.

Questions for Confluence 2.7.x2.7.342.7.35
Questions for Confluence 3.0.x3.0.2

How To Fix CVE-2022-26138- A Critical Disabledsystemuser Password Leak Vulnerability In Confluence Server And Data Center

Atlassian reported that they had fixed the flaw in releases mentioned below. Atlassian recommends two approaches to fix the CVE-2022-26138 flaw. The first approach is to upgrade to fixed or the latest long-term support release. The second approach is to disable or delete the service account ‘disabledsystemuser’ which is responsible for the flaw. Let’s see both the approaches one after another.

How to Upgrade

There are four ways to upgrade apps.

Method 1

To update an app

  1. As an administrative user, sign in to your Atlassian application. 
  2. From the top navigation bar, click on the settings icon and click on Add-ons or Manage apps.
  3. From the drop-down menu, click on Action required
  4. Locate and choose the app you want to update.
  5. Click on the Update button, and your app will be updated.

A success message will appear once the app is updated. 

Method 2

You can update all the apps at once. To do this:

  1. As an administrative user, sign in to your Atlassian application.
  2. From the top navigation bar, click on the settings icon and click on Add-ons or Manage apps.
  3. From the drop-down menu, click on Action required.
  4. Choose the Update All button, and all eligible apps will be updated to their latest versions.

Apps may be ineligible to update because:

  • The free app has changed to paid.  
  • App license doesn’t enable you to upgrade.

Method 3: Updating Apps By File Upload

You can also update an app manually by loading the updated JAR file into it. To do this:

  1. As an administrative user, sign in to your Atlassian application.
  2. From the top navigation bar, click on the settings icon and click on Add-ons or Manage apps.
  3. From the drop-down menu, click on the Upload add-on or Upload app.
  4. Locate the app file and click Upload.

The file will be uploaded and installed. The latest version has been replaced by the outdated version. 

Method 4: Enabling Automatic Update

Enabling automatic updates will update the app to the latest version automatically. To allow automatic Update:

  1. As an administrative user, sign in to your Atlassian application.
  2. From the top navigation bar, click on the settings icon and click on Add-ons or Manage apps.
  3. At the bottom of the page, click on the Settings link. 
  4. Allow the Automatically Update Atlassian-Selected Apps option.
  5. Click Apply.

How To Disable Or Delete The Disabledsystemuser Account

Disable A User Account

To disable a user account:

  1. Go to Settings > User management
  2. Search and locate the user you want to disable.
  3. Click Disable. 

Unsync A User Account

To unsync a user account:

  1. Go to your external directory.
  2. Exclude the user account from the synchronized accounts with Confluence. 

Delete A User Account

To delete a user account from an internal Confluence directory or read/write an external directory:

  1. Go to Settings > User management
  2. Search and locate the user you want to delete.
  3. Click Delete.
  4. Wait for the confirmation. This may take a few minutes. 

To Delete A User Account From A Read-Only External Directory, Or Multiple External Directories:

  1. Remove the user from the external directory. You must delete from each directory if the user exists in multiple directories. 
  2. In Confluence, Go to Settings > User management > Unsynced from directory.
  3. Search and locate the user you want to delete.
  4. Click Delete.
  5. Wait for the confirmation. This may take a few minutes. 

Only Remove Access To Confluence

To do this:

  1. Create a group to add removed users. 
  2.  Go to Settings > General Configuration > Global Permissions.
  3. Ensure the group doesn’t have Can Use Confluence permission. 
  4. Change the user’s group membership to make them only a group member. 

Limitations When Deleting A User Account

  • Free text is not anonymous.
  • Data stored in Synchrony is not deleted immediately.
  • Personal spaces are not deleted.
  • Workbox notifications don’t disappear immediately. 
  • Data stored by third-party apps are not deleted. 

For more information, see the document.

How To See Your Confluence Server And Data Center Were Compromised

You can use the solutions below to know how active your user base is and how many users logged into Confluence during a certain time. 

Last Logon Times

The query below will return a list of users who logged in last or unsuccessfully tried to log into Confluence within a defined timeframe. 

In PostgreSQL, it’s

WITH last_login_date AS
(SELECT user_id
      , to_timestamp(CAST(cua.attribute_value AS double precision)/1000) AS last_login
  FROM cwd_user_attribute cua
  WHERE cua.attribute_name = 'lastAuthenticated'
    AND to_timestamp(CAST(cua.attribute_value AS double precision)/1000) < (CURRENT_DATE))
SELECT c.user_name
    , c.lower_user_name
    , c.email_address
    , c.display_name
    , c.last_name
    , g.group_name
    , l.last_login
  FROM cwd_user c
INNER JOIN last_login_date l ON (c.id = l.user_id)
INNER JOIN cwd_membership m  ON (c.id = m.child_user_id)
INNER JOIN cwd_group g      ON (m.parent_id = g.id)
WHERE g.group_name = '<group-name>'
ORDER BY last_login DESC;

In MySQL, it’s

select cu.user_name
    , cu.lower_user_name
    , cu.email_address
    , cu.display_name
    , cu.last_name
    , cua.attribute_value
    , FROM_UNIXTIME(cua.attribute_value/1000) as lastAuthenticated
    FROM cwd_user cu left join cwd_user_attribute cua on cu.id = cua.user_id and cua.attribute_name = 'lastAuthenticated'
    order by lastAuthenticated desc

Last Successful Login Times

The query below will return a user list who last successfully logged into the Confluence within a defined timeframe.

WITH last_login_date AS
(SELECT user_id
      , to_timestamp(CAST(cua.attribute_value AS double precision)/1000) AS last_login
  FROM cwd_user_attribute cua
  WHERE cua.attribute_name = 'lastAuthenticated'
AND to_timestamp(CAST(cua.attribute_value AS double precision)/1000) < (CURRENT_DATE))
SELECT c.user_name
    , c.lower_user_name
    , c.email_address
    , c.display_name
    , c.last_name
, g.group_name
    , li.successdate
  FROM cwd_user c
INNER JOIN last_login_date l ON (c.id = l.user_id)
INNER JOIN cwd_membership m  ON (c.id = m.child_user_id)
INNER JOIN cwd_group g      ON (m.parent_id = g.id)
INNER JOIN user_mapping um  ON (c.user_name = um.username)
INNER JOIN logininfo li      ON (um.user_key = li.username)
WHERE g.group_name LIKE '<group-name>'
ORDER BY successdate DESC;

Last Failed Login Times

The following query will return a user list who last failed to login the Confluence within your defined timeframe.

WITH last_login_date AS
(SELECT user_id
      , to_timestamp(CAST(cua.attribute_value AS double precision)/1000) AS last_login
  FROM cwd_user_attribute cua
  WHERE cua.attribute_name = 'lastAuthenticated'
AND to_timestamp(CAST(cua.attribute_value AS double precision)/1000) < (CURRENT_DATE))
SELECT c.user_name
    , c.lower_user_name
    , c.email_address
    , c.display_name
    , c.last_name
, g.group_name
    , li.faileddate
  FROM cwd_user c
INNER JOIN last_login_date l ON (c.id = l.user_id)
INNER JOIN cwd_membership m  ON (c.id = m.child_user_id)
INNER JOIN cwd_group g      ON (m.parent_id = g.id)
INNER JOIN user_mapping um  ON (c.user_name = um.username)
INNER JOIN logininfo li      ON (um.user_key = li.username)
WHERE g.group_name LIKE '<group-name>' AND
li.faileddate IS NOT NULL
ORDER BY faileddate DESC;

We hope this post will help you know How to Fix CVE-2022-26138- A Critical Disabledsystemuser Password Leak Vulnerability in Confluence Server and Data Center. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this. 

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.