Update: This advisory has been updated since its original publication.
2022/08/01 12:00 PM PDT (Pacific Time, -7 hours)
- Updated the Remediation section to note that if the disabledsystemuser account is manually deleted, the app must also be updated or uninstalled to ensure the account does not get recreated
2022/08/01 11:00 AM PDT (Pacific Time, -7 hours)
- Updated the Summary of Vulnerability section to note the email service provider for the email@example.com account has confirmed the account has been blocked
2022/07/30 1:15 PM PDT (Pacific Time, -7 hours)
- Updated the Summary of Vulnerability section to note that instances that have not remediated this vulnerability per the Remediation section below may send email notifications from Confluence to a third party email address
- Additional details are available in Confluence Security Advisory 2022-07-20
2022/07/22 9:30 AM PDT (Pacific Time, -7 hours)
- Updated the Remediation section to explain only option 2 can be used for Confluence Server and Data Center instances configured to use a read-only external directory
- Added a link to a page of frequently asked questions about CVE-2022-26138
2022/07/21 8:30 AM PDT (Pacific Time, -7 hours)
- An external party has discovered and publicly disclosed the hardcoded password on Twitter. It is important to remediate this vulnerability on affected systems immediately.
- The Vulnerability Summary section has been updated to include this new information
When the Questions for Confluence app is enabled on Confluence Server or Data Center, it creates a Confluence user account with the username disabledsystemuser. This account is intended to aid administrators that are migrating data from the app to Confluence Cloud. The disabledsystemuser account is created with a hardcoded password and is added to the confluence-users group, which allows viewing and editing all non-restricted pages within Confluence by default. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence.
The disabledsystemuser account is configured with a third party email address (firstname.lastname@example.org) that is not controlled by Atlassian. If this vulnerability has not been remediated per the Fixes section below, an affected instance configured to send notifications will email that address. One example of an email notification is Recommended Updates Notifications, which contains a report of the top pages from Confluence spaces the user has permissions to view. mail.com, the free email provider that manages the email@example.com account, has confirmed to Atlassian that the account has been blocked. This means it cannot be accessed by anyone unauthorized and cannot send or receive any new messages.
An external party has discovered and publicly disclosed the hardcoded password on Twitter. Refer to the Remediation section below for guidance on how to remediate this vulnerability.
A Confluence Server or Data Center instance is affected if it has an active user account with the following information:
- User: disabledsystemuser
- Username: disabledsystemuser
- Email: firstname.lastname@example.org
If this account does not show up in the list of active users, the Confluence instance is not affected.
Uninstalling the Questions for Confluence app does not remediate this vulnerability. The disabledsystemuser account does not automatically get removed after the app has been uninstalled. If you have verified a Confluence Server or Data Center instance is affected, two equally effective ways to remediate this vulnerability are listed below.
Update the Questions for Confluence app to a fixed version:
- 2.7.x >= 2.7.38
- Versions >= 3.0.5
For more information on how to update an app, refer to Atlassian's documentation.
Fixed versions of the Questions for Confluence app stop creating the disabledsystemuser user account, and remove it from the system if it has already been created. Migrating data from the app to Confluence Cloud is now a manual process.
If Confluence is configured to use a read-only external directory (e.g. Atlassian Crowd), you will need to follow Option 2 below.
Search for the disabledsystemuser account and either disable it or delete it. For instructions on how to disable or delete an account (including an explanation of the differences between the two options), refer to Atlassian's documentation.
If you choose to delete the disabledsystemuser account, you must also uninstall or upgrade the Questions for Confluence app to a non-vulnerable version. Failure to do this could result in the account being recreated after it has been deleted.
If Confluence is configured to use a read-only external directory, refer to the Delete from a read-only external directory, or multiple external directories section from the same document
We'll update the FAQ for CVE-2022-26138 with answers for commonly asked questions.
For additional details, refer to Confluence Security Advisory 2022-07-20.