Citrix has crafted new signatures and has updated its Citrix Web App Firewall signature file to help customers mitigate the recent authentication bypass vulnerability in multiple versions of Atlassian Confluence app (versions prior to 2.7.38 and 3.0.5). The vulnerability (CVE-2022-26138) was introduced in versions 2.7.34, 2.7.35 and 3.0.2.

Citrix regularly provides updated signatures, and by keeping your Citrix Web App Firewall signature file always up to date, you can mitigate risks posed by vulnerabilities like this. Citrix’s threat research team focuses on pushing out mitigations for vulnerabilities — like CVE-2022-26138 — that might create risks for customers. In addition, when customers activate Citrix Web App Firewall’s new Auto-Enable feature, updated default signature rules are automatically enabled to help provide immediate protection against new vulnerabilities.

You can download the signatures and apply them immediately.

Mitigating CVE-2022-26138

The Atlassian Questions for Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. In affected versions of Confluence Server and Data Center, a remote, unauthenticated attacker with knowledge of the hardcoded password could exploit the vulnerability to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.

Atlassian has provided a patch for vulnerable versions and a workaround for customers not able to immediately update their affected instances. Citrix Web App Firewall customers should also consider the following recommendations to help reduce risk associated with this vulnerability.

The updated Citrix Web App Firewall signatures are designed to mitigate, in part, the CVE-2022-26138 vulnerability. If you are using any of the affected Confluence Server and Data Center versions, Citrix strongly recommends that you download the signatures version 90 and apply it to your Citrix Web App Firewall deployments as an additional layer of protection for your applications. By turning on the Auto-Enable feature, you’ll be protected by the newly added signatures from the start.

Signatures are compatible with Citrix ADC 11.1, 12.0, 12.1, 13.0, and 13.1. Please note, versions 11.1 and 12.0 are at end of life. Learn more about the Citrix release lifecycle.

Signature rule CVE ID Description
998933 CVE-2022-26138 WEB-MISC Atlassian Questions For Confluence App – Hardcoded Credentials Vulnerability Via REST API (CVE-2022-26138)
998934 CVE-2022-26138 WEB-MISC Atlassian Questions For Confluence App – Hardcoded Credentials Vulnerability Via Login Form(CVE-2022-26138)

If you are already using Citrix Web App Firewall with signatures with the auto-update feature enabled, follow these steps after verifying your version is at least version 90.

  1. Search your signatures for CVE-2022-26138 LogString
  2. Select the results with ID 998933, 998934
  3. Choose “Enable Rules” and click OK
Click image to view larger.

Citrix recommends that Citrix Web App Firewall customers use the latest signature version, enable signatures auto-update, and subscribe to receive signature alert notifications. Citrix will continue to monitor this dynamic situation and provide updates as new mitigations become available.

If app availability is inadvertently affected due to false positives resulting from the above mitigation policies, Citrix recommends the following modifications to the policy. Please note that any endpoint covered by the exception_list may expose those assets to risks from CVE-2022-26138.

Modifications to Citrix Web App Firewall Policy

add policy patset exception_list

# (Example: bind policy patset exception_list “/exception_url”)

Prepend the existing WAF policy with HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT

# (Example :  set appfw policy my_WAF_policy q^HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT && <existing rule>^

Additional Information

Citrix Web App Firewall has a single code base across physical, virtual, bare-metal, and containers. This signature update applies to all form factors and deployment models of Citrix Web App Firewall.

Learn more about Citrix Web App Firewall, check out our alert articles and bot signature articles to learn more about Citrix Web App Firewall signatures, and find out how you can receive signature alert notifications.

Patches and Mitigations

Citrix strongly recommends that customers apply patches (from Atlassian and/or other vendors) as soon as they are made available. Until a patch is made available, you may reduce the risk of a successful attack by applying mitigations. Mitigations should not be considered full solutions as they do not fully address the underlying issue(s).