Confluence Security Advisory 2010-10-12

This advisory announces a number of security vulnerabilities in earlier versions of Confluence that we have found and fixed in Confluence 3.4. In addition to releasing Confluence 3.4, we also provide patches for the vulnerabilities mentioned below. You will be able to apply these patches to existing installations of Confluence 3.3.3. However, we recommend that you upgrade to Confluence 3.4 to fix these vulnerabilities.

In this advisory:

XSS Vulnerabilities

Severity

Atlassian rates the severity level of these vulnerabilities as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low.

Risk Assessment

We have identified and fixed a number of cross-site scripting (XSS) vulnerabilities which may affect Confluence instances, including publicly available instances.

  • An attacker might take advantage of an XSS vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's own web server.
  • XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. An attacker's text and script might be displayed to other people viewing the page. This is potentially damaging to your company's reputation.

You can read more about XSS attacks at cgisecurity, CERT and other places on the web.

Vulnerability

The table below describes the parts of Confluence affected by the XSS vulnerabilities.

Confluence Feature

Affected Confluence Versions

Issue Tracking

Space names

2.9 – 3.3.3

CONF-20740

Office Connector

3.0 – 3.3.3

CONF-20963

Tasklist macro

1.3 – 3.3.3

CONF-20964

Risk Mitigation

We recommend that you upgrade your Confluence installation to fix these vulnerabilities.

Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can disable public access (such as anonymous access and public signup) to your wiki until you have applied the necessary patch or upgrade. For even tighter control, you could restrict access to trusted groups.

We also recommend that you read our guidelines on best practices for configuring Confluence security and using Apache to limit access to the Confluence administration interface.

Fix

Confluence 3.4 fixes these issues. For a full description of this release, see the release notes. You can download Confluence 3.4 from the download centre.

If you cannot upgrade to Confluence 3.4, you can patch your existing installation using the patches listed below.

Available Patches and Plugin Upgrades

If for some reason you cannot upgrade to Confluence 3.4, you can apply the following patches and plugin upgrades to fix the vulnerabilities described in this security advisory.

Step 1 of the Patch Procedure: Install the Patch

A patch is available for Confluence 3.3.3.

The patch addresses the following issues:

  • XSS vulnerability in space names (CONF-20740).
  • XSS vulnerability in Office Connector (CONF-20963).

If you are using the Confluence distribution:

  1. Shut down Confluence.
  2. Make a backup of the <confluence_install_dir>/confluence/ directory.
  3. Download the confluence-3.3.3-to-3.4-security-patch.zip file.
  4. Expand the zip file into <confluence_install_dir>/confluence/, overwriting the existing files.
  5. Restart Confluence.

If you are using the WAR distribution of Confluence:

  1. Shut down Confluence.
  2. Make a backup of the <confluence_exploded_war>/confluence/ directory.
  3. Download the confluence-3.3.3-to-3.4-security-patch.zip file.
  4. Expand the zip file into <confluence_exploded_war>/confluence/, overwriting the existing files.
  5. Run 'build.sh clean' on UNIX, or 'build.bat clean' on Windows.
  6. Run 'build.sh' on UNIX or 'build.bat' on Windows.
  7. Redeploy the Confluence web app into your application server.
  8. Restart Confluence.

Step 2 of the Patch Procedure: Upgrade the Affected Plugins

Some of the above vulnerabilities exist in plugins and are therefore not included in the patch. To fix these vulnerabilities, you will need to upgrade the affected plugins. You can upgrade the plugins in the normal manner, via the Confluence Plugin Repository. Please refer to the documentation for more details on installing plugins.

Was this helpful?

Thanks for your feedback!

Why was this unhelpful?

Have a question about this article?

See questions about this article

Powered by Confluence and Scroll Viewport