Confluence Security Advisory 2010-05-04
This advisory announces a number of security vulnerabilities in earlier versions of Confluence that we have found and fixed in Confluence 3.2.1. In addition to releasing Confluence 3.2.1, we also provide patches for the most important vulnerabilities mentioned. You will be able to apply these patches to older versions of Confluence. There will, however, be a number of security improvements in Confluence 3.2.1 that cannot be patched or backported. We recommend upgrading to Confluence 3.2.1 rather than applying the patches.
In this advisory:
XSS Vulnerabilities
Severity
Atlassian rates these vulnerabilities as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low.
Risk Assessment
We have identified and fixed a number of security vulnerabilities which may affect Confluence instances in a public environment. These flaws are cross-site scripting (XSS) vulnerabilities exposed in the Confluence functions described in the table below.
- An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's own web server.
- An attacker's text and script might be displayed to other people viewing the Confluence page. This is potentially damaging to your company's reputation.
You can read more about XSS attacks at cgisecurity, CERT and other places on the web.
Vulnerability
We identified and fixed vulnerabilities in the Confluence features described in the table below.
Confluence Feature | Affected Confluence Versions | Fix Availability | More Details | Severity |
---|---|---|---|---|
Index browser JSP (JavaServer Page) | 2.7.0 – 3.2.0 | 3.2.1 and patch | High | |
A JSP that provides an administrator with the location on the file system where the attachments for a given space are stored | 2.8.3 – 3.2.0 | 3.2.1 and patch | High | |
A JSP that allows and administrator to reset null emails addresses to dummyvalue@nowhere.org | 2.8.3 – 3.2.0 | 3.2.1 and patch | High | |
Colour scheme settings | 3.1.2 – 3.2.0 | 3.2.1 and patch | High | |
Error messages | 2.7.0 – 3.2.0 | 3.2.1 and patch | CONF-19390 and CONF-19402 | High |
Searching Confluence | 2.7.4 – 3.2.0 | 3.2.1 and patch | High | |
Attachment upload | 3.0.2 – 3.2.0 | 3.2.1 and patch | High | |
Content rendering | 3.0.0 – 3.2.0 | 3.2.1 and patch | High | |
Advanced Macros plugin | 3.1.0 – 3.2.0 | 3.2.1 and plugin upgrade | High | |
Social Bookmarking plugin | 3.0.0 – 3.2.0 | 3.2.1 and plugin upgrade | High |
Risk Mitigation
We recommend either patching or upgrading your Confluence installation to fix these vulnerabilities. Please see the 'fix' section below.
Alternatively, if you are not in a position to upgrade or patch immediately and you judge it necessary, you can disable public access (such as anonymous access and public signup) to your wiki until you have applied the necessary patch or upgrade. For even tighter control, you could restrict access to trusted groups.
Fix
Confluence 3.2.1 fixes all of these issues. See the release notes. You can download Confluence 3.2.1 from the download centre.
If you cannot upgrade to Confluence 3.2.1, you can patch your existing installation using the patches and plugin upgrades listed below. We strongly recommend upgrading to 3.2.1 however, since it adds even more security features than the patches.
Changed behaviour in Confluence
We have removed the indexbrowser.jsp
and the viewdocument.jsp
pages that used to provide access to the Confluence index browser. Instead, if you need to see more details of the indexed pages in your Confluence site, you can download and run Luke. Luke is a development and diagnostic tool that accesses existing Lucene indexes and allows you to display and modify their content in several ways. See our document on content index administration.
Our thanks to Brett Porter of The Apache Software Foundation and to David Belcher of Research in Motion, who reported some of the vulnerabilities mentioned above. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem.
XSS Vulnerability in Database Check Utility (Not Bundled with Confluence)
Severity
Atlassian rates this vulnerability as high, according to the scale published in Confluence Security.
Risk Assessment
We have identified and fixed a cross-site scripting (XSS) vulnerability in the Atlassian database check utility that some customers may have installed. The utility is a JSP file, supplied as an attachment to a documentation page.
Note that this utility is not bundled with Confluence. This vulnerability applies to you only if you have downloaded and installed the JSP.
Vulnerability
An attacker can inject their own JavaScript when invoking the database check utility. The rogue JavaScript will be executed when a user invokes the URL. For more details, please refer to CONF-19406.
Risk Mitigation
If you have previously downloaded and installed the testdatabase.jsp
utility from the documentation page, you should now remove the testdatabase.jsp
file from your <confluence-install>\confluence
directory.
When you need to use the utility again, you can download the updated version from the same documentation page.
Fix
If you have previously downloaded and installed the testdatabase.jsp
utility from the documentation page, you should now remove the testdatabase.jsp
file from your <confluence-install>\confluence
directory.
When you need to use the utility again, you can download the updated version from the same documentation page.
This fix is not part of Confluence 3.2.1
Because the JSP file is not shipped with the Confluence installation, there is no patch for this vulnerability and there is no fix for it in Confluence 3.2.1. Please check your installation and remove or update the JSP if present.
Unnecessary Exposure of and Access to Information
Severity
Atlassian rates these vulnerabilities as high and moderate, according to the scale published in Confluence Security.
Risk Assessment
We have identified a number of areas where Confluence exposes an unnecessary amount of information that may be useful to an attacker if such an attacker gained access to the information.
Vulnerability
We have identified a number of areas where Confluence exposes an unnecessary amount of information, including sensitive information such as usernames and passwords. If an attacker gains access to such information, it may allow such an attacker to gain access to administrative areas and functions of Confluence that they are not authorised to use. Details of each vulnerability are in the table below.
For more details please refer to the related JIRA issues, also shown in the table below.
Confluence action | Affected Confluence Versions | Fix Availability | More Details | Severity |
---|---|---|---|---|
Support request form | 3.1.0 – 3.2.0 | 3.2.1 only | The Confluence support request form automatically generates a zip file containing system information and log files, and submits the file to a given email address along with the support request. The zip file includes configuration files containing usernames, passwords and license details. See CONF-19391 | High |
Support request form | 2.7.0 – 3.2.0 | 3.2.1 only | The Confluence support request form offers a 'CC' email address, allowing the support request and all attached information to be sent to any email address. In addition, it is also possible to set the default email address to any email address, via the Confluence Administration Console. See CONF-19392 | High |
XML site backup | 2.7.0 – 3.2.0 | 3.2.1 only | It is possible to download an XML backup of the Confluence site from the Confluence Administration Console. See CONF-19393 | High |
Daily site backup | 2.7.0 – 3.2.0 | 3.2.1 only | The path to the daily site backup is configurable via the Confluence Administration Console. It is possible to set the daily backup path and (partial) name through the web UI. This allows an attacker to put the backup in a location that is served by the application server. See CONF-19397 | Moderate |
SOAP and XML-RPC APIs | 2.7.0 – 3.2.0 | 3.2.1 only | The SOAP and XML-RPC APIs give too much information when returning an error about an incorrect login. See CONF-19398 | High |
Information about Confluence administrators | 2.7.0 – 3.2.0 | 3.2.1 only | The list of Confluence administrators is accessible via a URL and shows the username, full name and email address of all administrators. See CONF-19395 | Moderate |
Risk Mitigation
We recommend that you upgrade your Confluence installation to fix these vulnerabilities. Please see the 'fix' section below.
Alternatively, if you are not in a position to upgrade or patch immediately, consider applying these measures:
- Control the access to your administrator accounts, as described in our document on best practices for configuring Confluence security.
- Disable access to the SOAP and XML-RPC APIs, if these remote APIs are not required. (Remote API access is disabled by default.) See the page about enabling remote APIs.
- Manually remove the list of Confluence administrators that is accessible via a URL, by editing the relevant Velocity template file as follows:
- Edit the
administrators.vm
file, located in {confluence-install}/confluence
for standalone installations, or at the root of the web app for WAR installations. Replace the content with a message that you would like to be displayed whenever someone accesses this URL. For example:
<html> <head> <title>$action.getText("title.administrators")</title> </head> <body> The list of Confluence administrators is no longer available. If you would like to contact an administrator, please email admins at example dot com. </body> </html>
- Save the file. (There is no need to restart Confluence.)
- Edit the
Fix
Confluence 3.2.1 fixes these issues. See the release notes. You can download Confluence 3.2.1 from the download centre.
Changed Behaviour in Confluence
In order to fix these problems, we have changed Confluence's behaviour as follows:
- We have removed all license, username and password information from the zip file generated by the Confluence support request form.
- It is no longer possible to specify a 'CC' email address on the Confluence support request form.
- By default, it is no longer possible to specify a site support email address in the 'General Configuration' section of the Confluence Administration Console. Administrators can restore this functionality by updating the
confluence.cfg.xml
file found in the Confluence Home and other important directories. Confluence now recognises a new property in this configuration file, calledadmin.ui.allow.site.support.email
. If the value of the property is 'true', it will be possible to specify a site support email address via the Confluence Administration Console. If the value of this property is 'false' or the property is not present in the file, the email address is not configurable. By default in Confluence 3.2.1 and later, the value is 'false'. - By default, the path to the daily site backup is no longer configurable via the Confluence Administration Console. Confluence now recognises a new property called
admin.ui.allow.daily.backup.custom.location
in theconfluence.cfg.xml
file. If the value of this property is 'true', the administrator can change the daily backup path. If the value of this property is 'false' or the property is not present in the file, the backup path is not configurable. By default in Confluence 3.2.1 and later, the value is 'false'. - By default, it is no longer possible to download an XML backup of the Confluence site from the Confluence Administration Console. Instead, you need access to the Confluence server machine in order to retrieve the XML site backup file. Confluence now recognises a new property called
admin.ui.allow.manual.backup.download
in theconfluence.cfg.xml
file. If the value of this property is 'true', the Administration Console provides an option to download the XML site backup file. If the value of this property is 'false' or the property is not present in the file, the XML download is not available from the Administration Console. By default in Confluence 3.2.1 and later, the value is 'false'. - On invalid login attempts, the SOAP and XML-RPC APIs no longer give away the specific information that the user does not exist or that the password is invalid.
- The
administrators.action
URL no longer opens a page showing the list of Confluence administrators. Instead, the URL will now present a form which you can use to email all the administrators of the site. This is preferable since it does not give the user any information about who these administrators are. See our documentation on configuring the administrator contact page.
General Tightening of the Confluence Security Model
Severity
Atlassian rates these vulnerabilities as high and moderate, according to the scale published in Confluence Security.
Risk Assessment
We have improved the security of the following areas in Confluence:
- Prevention of brute force attacks by imposing a maximum number of repeated login attempts.
- Handling of decorator layouts.
Vulnerability
We have identified and fixed a problem where Confluence allows an unlimited number of repeated login attempts, potentially opening Confluence to a brute force attack. We have also improved the security around the handling of decorator layouts. Details of each improvement are in the table below.
For more details please refer to the related JIRA issues, also shown in the table below.
Confluence action | Affected Confluence Versions | Fix Availability | More Details | Severity |
---|---|---|---|---|
Site and space decorator layouts | All versions up to and including 3.2.0 | 3.2.1 and patch | The BootstrapManager exposed in site and space layout templates should be read only. See CONF-19401 | High |
Login | All versions up to and including 3.2.0 | 3.2.1 only | Confluence does not set a maximum to the number of repeated login attempts. This makes Confluence vulnerable to a brute force attack. See CONF-19396 | Moderate |
Risk Mitigation
We recommend that you upgrade your Confluence installation to fix these vulnerabilities. Please see the 'fix' section below.
Alternatively, if you are not in a position to upgrade immediately, you can patch your existing installation using the patches listed below. The patch will fix the problem with the decorator layouts.
You can prevent brute force attacks by following our guidelines on using Fail2Ban to limit login attempts.
Fix
Confluence 3.2.1 fixes these issues. See the release notes. You can download Confluence 3.2.1 from the download centre.
Alternatively, if you are not in a position to upgrade immediately, you can patch your existing installation using the patches listed below. The patch will fix the problem with the decorator layouts.
Changed Behaviour in Confluence
In order to fix these problems, we have changed Confluence's behaviour as follows:
- We have improved the security in the way Confluence handles decorator layouts. The BootstrapManager is now read only.
- After three failed login attempts, Confluence will display a Captcha form asking the user to enter a given word when attempting to log in again. This will prevent brute force attacks via the login screen. In addition, after three failed login attempts via the XML-RPC or SOAP API, an error message will be returned instructing the user to log in via the web interface. Captcha will automatically be activated when they attempt this login.
Available Patches and Plugin Upgrades
If for some reason you cannot upgrade to Confluence 3.2.1, you can apply the following patches and plugin upgrades to fix the most pressing vulnerabilities described in this security advisory.
Step 1 of the Patch Procedure: Install the Patches
Patches are available for Confluence 3.2.0, 3.1.2, 3.0.2, 2.10.4, 2.9.3 and 2.8.3. You need to upgrade to the specified bug-fix release of the relevant major version before applying the patches. For example, if your version is Confluence 3.0.0, first upgrade to 3.0.2 and then apply the relevant patch.
The available patches address the following issues:
- XSS in search (CONF-19382).
- XSS in attachment upload (CONF-19388).
- XSS in the index browser JSP (CONF-19404).
- XSS in the JSP that provides an administrator with the location on the file system where the attachments for a given space are stored (CONF-19404).
- XSS in the JSP that allows an administrator to reset null emails addresses (CONF-19404).
- XSS in colour scheme settings (CONF-19384).
- XSS in error messages (CONF-19390 and CONF-19402).
- XSS in content rendering (CONF-19441).
- Secure handling of site and space decorator layouts (CONF-19401).
Each patch covers all of the above issues, and is applicable to the specific version of Confluence. To install the patch, download the appropriate version and follow the instructions below.
Your Confluence Version | File |
---|---|
3.2.0 | |
3.1.2 | |
3.0.2 | |
2.10.4 | |
2.9.3 | |
2.8.3 |
Applying the patch
If you are using the Standalone distribution of Confluence:
- Make a backup of the
<confluence_install_dir>/confluence/
directory. - Download the
confluence-x-patch.zip
file from the location given in the table above, for your version of Confluence. - Expand the zip file into
<confluence_install_dir>/confluence/
, overwriting the existing files in that location. - Restart Confluence.
If you are using the WAR distribution of Confluence:
- Make a backup of the
<confluence_exploded_war>/confluence/ directory
. - Download the
confluence-x-patch.zip
file from the location given in the table above, for your version of Confluence. - Expand the zip file into
<confluence_exploded_war>/confluence/
, overwriting the existing files in that location. - Run '
build.sh clean
' on UNIX, or 'build.bat clean
' on Windows. - Run '
build.sh
' on UNIX or 'build.bat
' on Windows. - Redeploy the Confluence web app into your application server.
Step 2 of the Patch Procedure: Upgrade your Plugins
Two of the above vulnerabilities exist in plugins and are therefore not included in the patch. To fix these vulnerabilities, you will need to upgrade the affected plugin to get the fixed version. You can upgrade the plugins in the normal manner, via the Confluence Plugin Repository. Please refer to the documentation for more details on installing plugins.
- If you are running Confluence 3.1.0 or later, you will need to install the latest version of the Confluence Advanced Macros plugin. Earlier versions of Confluence are not affected and therefore do not need an upgraded plugin.
- If you are running Confluence 3.0.0 or later, you will need to install the latest version of the Social Bookmarking plugin. Earlier versions of Confluence are not affected and therefore do not need an upgraded plugin.
Step 3 of the Patch Procedure: Remove the Database Check Utility if Previously Installed
If you have previously downloaded and installed the testdatabase.jsp
utility from the documentation page, you should now remove the testdatabase.jsp
file from your <confluence-install>\confluence
directory. See above for more details of this utility.