Confluence Security Advisory 2010-11-15

Security Vulnerability in Confluence Remote API

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low.

Risk Assessment

We have identified and fixed a vulnerability in the Remote API which affects Confluence instances, including publicly available instances. The Remote API allows an attacker to escalate user privileges, excluding the level of system administrator privileges.

Vulnerability

The table below describes the Confluence versions and the specific functionality affected by the RPC vulnerability.

Confluence Feature

Affected Confluence Versions

Fixed Version

Issue Tracking

User Access

2.7 – 3.4

3.4.2

CONF-21162

Risk Mitigation

We recommend that you upgrade your Confluence installation to fix this vulnerability.

We strongly advise that you disable the remote APIs until your Confluence instance is patched or upgraded. If the Remote API is vital, we recommend you disable anonymous access to the remote API.

We also recommend that you read our guidelines on best practices for configuring Confluence security.

Fix

Confluence 3.4.2 fixes this issue. For a full description of this release, see the release notes. You can download Confluence 3.4.2 from the download centre.

If you cannot upgrade to Confluence 3.4.2, you can patch your existing installation using the patch listed below.

Available Patch

If for some reason you cannot upgrade to the latest version of Confluence, you can apply the following patch to fix the vulnerability described in this security advisory.

Vulnerability

Patch

Security vulnerability in Confluence Remote API

confluence-3.4.2-security-patch-for-2.7-to-3.4.1.zip

Patch Procedure: Install the Patch

A patch is available for Confluence 2.7 – 3.4.1.

The patch addresses the following issue:

  • Security vulnerability in Confluence RPC (CONF-21162).
Applying the patch

If you are using the Confluence 2.7 – 3.4.1 distributions:

  1. Shut down Confluence.
  2. Make a backup of the <confluence_install_dir>/confluence/ directory.
  3. Download the confluence-3.4.2-security-patch-for-2.7-to-3.4.1.zip file.
  4. Expand the zip file into <confluence_install_dir>/confluence/, overwriting the existing files.
  5. Restart Confluence.
  6. Visit <Confluence base url>/admin/patch342applied.jsp and confirm that it reports: "The Patch for Confluence 3.4.2 has been correctly applied."

If you are using the WAR distribution of Confluence:

  1. Shut down Confluence.
  2. Make a backup of the <confluence_exploded_war>/confluence/ directory.
  3. Download the confluence-3.4.2-security-patch-for-2.7-to-3.4.1.zip file.
  4. Expand the zip file into <confluence_exploded_war>/confluence/, overwriting the existing files.
  5. Run 'build.sh clean' on UNIX, or 'build.bat clean' on Windows.
  6. Run 'build.sh' on UNIX or 'build.bat' on Windows.
  7. Redeploy the Confluence web app into your application server.
  8. Restart Confluence.
  9. Visit <Confluence base url>/admin/patch342applied.jsp and confirm that it reports: "The Patch for Confluence 3.4.2 has been correctly applied."

Was this helpful?

Thanks for your feedback!

Why was this unhelpful?

Have a question about this article?

See questions about this article

Powered by Confluence and Scroll Viewport