How to remediate – Questions for Confluence App Default Credentials (CVE-2022-26138)

1. Introduction

The Questions for Confluence App Default Credentials vulnerability (CVE-2022-26138) affects installations of the ‘Questions for Confluence’ application. This issue allows an attacker to gain administrative access to a Confluence server by using hard-coded default credentials within the app. Affected systems are typically those running the Questions for Confluence marketplace application on a Confluence instance. A successful exploit could lead to complete compromise of confidentiality, integrity and availability of the Confluence installation.

2. Technical Explanation

The remote Confluence web application uses known default credentials for the ‘Questions for Confluence’ marketplace application. An attacker can use these credentials to log in and gain administrative access. The vulnerability exists because the application ships with a hard-coded username and password that are not changed during installation.

• Root cause: Hard-coded default credentials within the Questions for Confluence app.
• Exploit mechanism: An attacker attempts to log into the Confluence instance using the default credentials associated with the Questions for Confluence application. If successful, they gain administrative privileges. For example, an attacker could use a web browser or API client to submit a login request with the default username and password.
• Scope: Confluence instances running the Questions for Confluence marketplace application.

3. Detection and Assessment

You can confirm if your system is vulnerable by checking the application’s configuration and attempting to log in with known defaults. A thorough method involves reviewing the application’s source code or documentation.

• Quick checks: Check the Questions for Confluence app settings within the Confluence administration interface for any default credentials that have not been changed.
• Scanning: Nessus vulnerability scanner ID 56edf34e can detect this issue as an example.
• Logs and evidence: Review Confluence server logs for successful login attempts using the default Questions for Confluence application credentials.

# No command available to directly check, review app settings in Confluence UI.

4. Solution / Remediation Steps

The solution is to change the application’s default credentials immediately. Follow these steps for a secure fix.

4.1 Preparation

• Ensure you have administrative access to the Confluence instance. A roll back plan is to restore from backup if needed.
• A change window may be required depending on your organisation’s policies; approval from a system owner might be necessary.

4.2 Implementation

1. Step 1: Log in to the Confluence administration console as an administrator.
2. Step 2: Navigate to the ‘Questions for Confluence’ application settings.
3. Step 3: Locate the section where default credentials can be changed.
4. Step 4: Change both the username and password to strong, unique values.
5. Step 5: Save the changes.

4.3 Config or Code Example

Before

# Default credentials (example)
Username: admin
Password: password123

After

# Updated credentials
Username: new_admin_username
Password: StrongUniquePassword!

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent this type of issue. Least privilege limits the impact if an account is compromised, and safe defaults ensure applications are not shipped with easily guessable credentials.

• Practice 1: Implement least privilege principles for all application accounts to reduce the potential damage from a successful exploit.
• Practice 2: Enforce strong password policies and regular credential rotation across all systems.

4.5 Automation (Optional)

No suitable automation script is available due to the UI-based nature of this change.

5. Verification / Validation

Confirm that the fix worked by attempting to log in with the old default credentials and verifying they no longer work. Then, confirm you can log in with your new credentials.

• Post-fix check: Attempt to log into Confluence using the original default username and password; access should be denied.
• Re-test: Re-run the quick checks from Section 3 to verify that no default credentials are present.
• Smoke test: Verify core functionality of the Questions for Confluence application still works with your new credentials, such as creating or answering a question.
• Monitoring: Monitor Confluence logs for failed login attempts using the old default credentials; an increase could indicate ongoing attack attempts.

# No command available to directly check, attempt login via UI.

6. Preventive Measures and Monitoring

Update security baselines to include a requirement for changing default credentials on all new applications. Incorporate checks in your deployment pipelines to identify applications with default settings.

• Pipelines: Add static analysis (SAST) tools to your CI/CD pipeline to scan for hard-coded credentials in application code and configuration files.

7. Risks, Side Effects, and Roll Back

Changing the credentials incorrectly could lock you out of the application. Always test changes in a non-production environment first. If issues occur, restore from your backup.

• Risk or side effect 1: Incorrectly changing credentials may prevent access to the Questions for Confluence app; ensure you record the new credentials securely.

8. References and Resources

• Vendor advisory or bulletin: No specific vendor advisory available at time of writing.
• NVD or CVE entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26138
• Product or platform documentation relevant to the fix: https://support.atlassian.com/questions-for-confluence/