On July 26, 2022, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the recently disclosed Atlassian security flaw to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation. This security flaw, tracked as CVE-2022-26138, is related to the use of hard-coded credentials when the Questions For Confluence app is enabled in Confluence Server and Data Center instances.
In its alert, CISA warned that a remote, unauthenticated attacker might access Confluence using these hard-coded credentials and view all content available to the confluence-users group members.
Depending on the page restrictions and the company’s information in Confluence, where an attacker successfully exploits this vulnerability, sensitive information will potentially be accessed and disclosed.
The Atlassian software company addressed the bug in their 2.7.38 and 3.0.5 versions; however, it has since come under active exploitation again. The same was disclosed by the cybersecurity firm Rapid7. A researcher at Rapid7 stated that exploitation efforts do not seem very widespread at this point; however, it is expected that this situation may change. Furthermore, the security flaw is in the Questions for Confluence app and not in Confluence itself, which reduces the attack surface significantly.
Since the flaw has been added to the catalog, Federal Civilian Executive Branch (FCEB) employees in the United States must apply patches by August 19, 2022, to reduce their vulnerability to cyberattacks. Rapid7 continued to state that the vulnerability has been public for quite a short amount of time and that this, coupled with the absence of meaningful post-exploitation activity, there are no threat actors attributed to the attacks as yet.
– Kelly Lekaise (Candidate Attorney at PPM Attorneys, South Africa)
Edited by – Sabrina Bath