FAQ for CVE-2022-26138
General Information
When the Questions for Confluence app is installed and enabled on Confluence Server or Data Center, it creates a Confluence user account with the username disabledsystemuser. This account is intended to aid administrators that are migrating data from the app to Confluence Cloud. The disabledsystemuser account is created with a hardcoded password and is added to the confluence-users group, which allows viewing and editing all non-restricted pages within Confluence by default. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence. Read more about Questions For Confluence App - CVE-2022-26138
This page contains frequently asked questions and answers about this vulnerability. The Atlassian Security Team will update this page as new information becomes available.
Are Cloud instances affected by this app?
No, Atlassian cloud instances are not vulnerable and no customer action is required.
Are other Atlassian Server (DC) products affected by this vulnerability?
No, this vulnerability only affects Confluence Server and Data Center instances that have ever installed and enabled a vulnerable version of the Questions for Confluence app.
Are Confluence Server/DC instances affected?
This vulnerability affects Confluence Server and Data Center instances that have ever installed and enabled vulnerable versions of the Questions for Confluence app. It's possible for instance to have previously installed then uninstalled the app, and still be affected.
Questions for Confluence is not installed with Confluence by default. It's a paid, optional add-on.
How do I know if I'm using Questions for Confluence?
In Confluence, go to the Manage Apps page, filter by User-Installed apps, and search for Questions for Confluence
How do I protect my Confluence instance against this issue?
There are two equally effective options for protecting your Confluence instance against CVE-2022-26138:
- Upgrade to a fixed version of the Questions for Confluence app
- 2.7.x >= 2.7.38
- 3.0.x >= 3.0.5
- Disable or delete the
disabledsystemuser
account
Fixed versions of the Questions for Confluence app stop creating the disabledsystemuser
user account and remove it from the system if it has already been created. Migrating data from the app to Confluence Cloud is now a manual process.
Please note: uninstalling the Questions for Confluence app does not remediate this vulnerability.
For more information, refer to the Remediation section of Questions For Confluence App - CVE-2022-26138.
I need help upgrading the app, what should I do?
We recommend keeping your apps (also known as add-ons or plugins) up to date. Apps installed via the marketplace can receive updates at any time, independent of core application updates.
If UPM can connect to the Marketplace, it will notify you when a new version of an installed app is available. Only versions that are compatible with your current application version will be displayed.
You can update apps individually, or all at once.
You can update the app from these versions:
2.7.x >= 2.7.38 (compatible with Confluence 6.13.18 through 7.16.2)
Versions >= 3.0.5 (compatible with Confluence 7.16.3 and later)
For more information on how to update an app, refer to updating apps.
I'm seeing the user "disabledsystemuser", should I disable or delete it?
We recommend updating the Questions for Confluence app which will remove this user from the system. If this isn't possible for any reason, you should disable or delete the user.
I could not find the user "disabledsystemuser", am I safe?
Yes, the vulnerability requires this user to exist and to be enabled/active.
How does Atlassian decide whom to send these emails to?
Atlassian sends a copy of all critical security advisories to the 'Alerts' mailing list for the product concerned, excluding Sourcetree. To ensure you are on this list, please update your email preferences at https://my.atlassian.com/email.
Can we determine if Confluence has already been compromised?
To determine if anyone has successfully logged in to the disabledsystemuser
account, refer to the following document which provides instructions on how to get a list of users' last logon times:
If the last authentication time for disabledsystemuser
is null, which means the account exists but no one has ever logged into it.
How do I know if the patch/update works?
In the User management section of Confluence, search for the disabledsystemuser
user, if this user no longer exists, then the update worked.
How do we know there won't be another advisory in a month?
We are aware that having multiple advisories in such a short period presents a challenge. Starting in July 2022, Atlassian will publish critical security advisories once a month at most with the following exceptions:
- A critical vulnerability is publicly and widely known
- There are verifiable reports of exploitation in the wild
Why have there been so many advisories lately?
Atlassian uses multiple methods to identify critical security vulnerabilities in our products. When a critical vulnerability is discovered, it's our duty to notify you in a timely manner so that you can protect your systems.