Hardcoded Password In Confluence Leaked On Twitter (arstechnica.com) 30
An anonymous reader quotes a report from Ars Technica: Atlassian on Wednesday revealed three critical product vulnerabilities, including CVE-2022-26138 stemming from a hardcoded password in Questions for Confluence, an app that allows users to quickly receive support for common questions involving Atlassian products. The company warned the passcode was "trivial to obtain."
The company said that Questions for Confluence had 8,055 installations at the time of publication. When installed, the app creates a Confluence user account named disabledsystemuser, which is intended to help admins move data between the app and the Confluence Cloud service. The hardcoded password protecting this account allows for viewing and editing of all non-restricted pages within Confluence. "A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the confluence-users group has access to," the company said. "It is important to remediate this vulnerability on affected systems immediately."
A day later, Atlassian was back to report that "an external party has discovered and publicly disclosed the hardcoded password on Twitter," leading the company to ratchet up its warnings. "This issue is likely to be exploited in the wild now that the hardcoded password is publicly known," the updated advisory read. "This vulnerability should be remediated on affected systems immediately." The company warned that even when Confluence installations don't actively have the app installed, they may still be vulnerable. Uninstalling the app doesn't automatically remediate the vulnerability because the disabledsystemuser account can still reside on the system. To figure out if a system is vulnerable, Confluence users can use these instructions Atlassian provided for locating such accounts.
According to the company, the two ways to fix the issue are to disable or remove the "disabledsystemuser" account.
The company said that Questions for Confluence had 8,055 installations at the time of publication. When installed, the app creates a Confluence user account named disabledsystemuser, which is intended to help admins move data between the app and the Confluence Cloud service. The hardcoded password protecting this account allows for viewing and editing of all non-restricted pages within Confluence. "A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the confluence-users group has access to," the company said. "It is important to remediate this vulnerability on affected systems immediately."
A day later, Atlassian was back to report that "an external party has discovered and publicly disclosed the hardcoded password on Twitter," leading the company to ratchet up its warnings. "This issue is likely to be exploited in the wild now that the hardcoded password is publicly known," the updated advisory read. "This vulnerability should be remediated on affected systems immediately." The company warned that even when Confluence installations don't actively have the app installed, they may still be vulnerable. Uninstalling the app doesn't automatically remediate the vulnerability because the disabledsystemuser account can still reside on the system. To figure out if a system is vulnerable, Confluence users can use these instructions Atlassian provided for locating such accounts.
According to the company, the two ways to fix the issue are to disable or remove the "disabledsystemuser" account.
Same old (Score:5, Informative)
Look at these guy's CVE log. Why would anyone use this software?
Re: (Score:2)
Up until recently you could get a license for $10 and it allows idiots to make wiki pages without help.
Re: (Score:2)
Re: (Score:3)
To figure out if a system is vulnerable, Confluence users can use these instructions
It's much easier for Microsoft users. Fire up the PC, and if it shows the Windows logo, it's vulnerable.
username (Score:3)
> disabledsystemuser
Oh the irony.
What kind of fuckup does something like this? (Score:2, Insightful)
Seriously. I am not surprised though to learn that Confluence "developers" are utterly incompetent morons that should be banned from coding for life.
Re: (Score:2)
Re:What kind of fuckup does something like this? (Score:4, Informative)
i don't think so. product owners typically only place post-its with one-liners in vivid colors on whiteboards, occasionally move them around and in general act super-cool. it's the monk... ahem, developers who get to figure out everything else, from design to release. it's "agile".
actually, scratch that, there is no design. it's "agile"! hence these fuckups. and this is nothing! :-D
Re:What kind of fuckup does something like this? (Score:4, Informative)
forgot to add: if anything goes south, it's the monk... ahem, the developer's fault. this is the main reason of the success of "agile": plausible deniability.
Re: (Score:2)
What is agile and what people call agile are vastly different things. Very few shops I've been in actually do agile. They just use agile boards as a shared sticky note system.
Almost no organisations I've been in actually do anything about paying down tech debt. Let alone have a means of recording it, measuring it etc.
And this CVE has all the tell tails of a bad piece of tech debt. Tech debt hiding in a broken agile workflow.
Re: (Score:3)
indeed.
agile was coined by a group of highly motivated and talented developers who did mostly innovation and thus had considerable freedom in both what to produce and how, plus no significant money or time constraints but very high flexibility and quality requirements. it worked splendidly for them, but most of the industry is just the opposite of that so the same formula can't possibly work and just produces one aberration after another. yet is still universally adopted because it has become sort of a cult
Re: (Score:2)
What is agile and what people call agile are vastly different things.
There is no such thing as Agile; it's devolved into "do whatever you want and call it Agile".
And it sucks for a lot of types of work, which is why despite months of dutifully attending the training they put us through, my team doesn't use ANY agile crap.
And because of that we're getting more work done than the next two teams combined. We just have to hide it from the boss.
When they ask for the DoD or what the acceptance criteria are, we tell them pretty lies. We don't have time to fuck around with pointless
Re: (Score:3)
well, since you brought this to the plain ad-hominem level: sure, kid.
Re: (Score:2)
Well, :P
I suggest to google "agile development methods", or buy a book.
And more important: you should google what an "ad-hominem" is, it is not what you think it is
Re: (Score:1)
grow up.
Re: (Score:2)
At least I'm: :P
a) grown up enough to use google
b) grown up enough what an ad hominem is
So, when did you stop beating your wife? (Oh, btw: that was not an ad hominem ... lol, google it)
Re: (Score:2)
Maybe the "developers" were not the ones who thought this was a good idea? It could've been a "Product Owner" or somebody else.
Unlikely. Even more unlikely after a competent developer has explained the consequences.
Re: (Score:2)
Re: (Score:2)
Is using software supposed to hurt like confluence does?
Have you ever worked with Microsoft Word?
Re: (Score:2)
MS Word, as bad as it is, is still so far beyond Confluence that you'd need the James Webb Space Telescope to see it.
Atlassian (Score:3)
As soon as these guys bought Trello, I figured it was time to start looking for alternatives. There are a lot of options, but unfortunately none that work as well for me as Trello... used to work for me.
Amatuers (Score:4)
I have to use Confluence at work - in fact, as well as Jira.
They are a running joke which really isn't that funny, when it comes to productivity.
I refer to confluence as a black hole of undiscoverable content, the search functionality is so poor.
It's a bloated mess that keeps getting more bells and whistles added that nobody wants or needs.
Instead of fixing the _core_ problems the app has - search functionality and performance - it seems the company prefers to just bolt on new features.
Jira - I mean, there's a decent app here just waiting to get out, but again, it suffers from bloat, frequent crippling slowdown and content discovery issues.
And clearly, this slashdot story, points at the reasons why - the underlying code is a giant spaghetti monster, that is probably way beyond refactoring by now. When the foundations are crumbling, time to start again.
Re: (Score:2)
Jira - I mean, there's a decent app here just waiting to get out, but again, it suffers from bloat, frequent crippling slowdown and content discovery issues.
Geez, this is the truth. Until I didn't have to deal with Jira on a regular basis, I had to have our IT folks restart the server every few weeks because the response to Jira API calls got so slow that it was making stuff time out.
Re: (Score:2)
I use it at work as well, and everything you said is spot-on.
When someone tells me they can't find a document, I tell them, "I know", and I disconnect the call.
Apparently no design security reviews (Score:2)
I use it all the time (Score:2)
I use Confluence all the time at work, and it's wretched. The cloud version of Confluence is so broken that I honestly can't understand why any company still uses it.
Bulleted lists- somewhat broken.
Numbered lists- totally broken.
Fonts? No. You get one (1) font for use in a paragraph.
Want to change the size of a header? No.
Want to change the size of some text? No.
Want to highlight some text? No.
Want a line of code inline with some other text (like the name of a function)? No.
Want to use custom colors for fon