Atlassian has fixed three critical vulnerabilities and is urging customers using Confluence, Bamboo, Bitbucket, Crowd, Fisheye and Crucible, Jira and Jira Service Management to update their instances as soon as possible.
There is no mention of these vulnerabilities being exploited in the wild, but flaws in Atlassian Confluence are often leveraged by attackers.
CVE-2022-26138 affects the Questions for Confluence app, which is deployed and used by some Confluence Server and Data Center customers.
Because of this, and because uninstalling the app does not automatically remove the disabledsystemuser account, AND because it’s possible the account has been previously created by a version of the app that has been installed and uninstalled, Atlassian urges customers to check whether that active user account is present and to disable or delete it before or after updating to a non-vulnerable version of the app.
“These vulnerabilities affect the code included with each affected product. Systems are still affected even if they do not have any third-party apps installed,” Atlassian added.
“Unfortunately, Atlassian cannot confirm if an instance has been compromised. Please involve the local security team or a specialist security forensics firm for further investigation. Atlassian recommends checking the integrity of the application filesystem, for example, comparison of artifacts in their current state with recent backups to see if there are any unexpected differences. All security compromises are different, and there is a risk that an attacker could hide their footprint and change important files such as depending on the component that has been compromised.”
