Confluence Security Advisory 2011-05-31
It has been incorrectly advised previously that CONF-22479 (User Preferences) affects all versions starting 2.7 while in fact it is exploitable only in 3.5 and above. Our sincere apologies, this will not happen again.
You can still apply the patch to 3.4 in order to remove the root cause of this bug and potentially prevent other similar vulnerabilities from appearing
This advisory announces security vulnerabilities that we have found in Confluence and fixed in a recent version of Confluence. We also provide upgraded plugins and patches that you will be able to apply to existing installations of Confluence to fix these vulnerabilities. However, we recommend that you upgrade your complete Confluence installation rather than upgrading only the affected plugins. Enterprise Hosted customers should request an upgrade by raising a support request at http://support.atlassian.com. JIRA Studio is not vulnerable to the issues described in this advisory.
Atlassian is committed to improving product security. The vulnerabilities listed in this advisory have been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.
In this advisory:
XSS Vulnerabilities
Severity
Atlassian rates the severity level of both these vulnerabilities as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, medium or low.
These vulnerabilities are not critical. This is an independent assessment and you should evaluate its applicability to your own IT environment.
Risk Assessment
We have identified and fixed cross-site scripting (XSS) vulnerabilities that may affect Confluence instances, including publicly available instances (that is, Internet-facing servers). XSS vulnerabilities allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at cgisecurity.com, The Web Application Security Consortium and other places on the web.
Vulnerability
The table below describes the Confluence versions and the specific functionality affected by the XSS vulnerabilities.
Confluence Feature |
Affected Confluence Version |
Fixed Version |
Issue Tracking |
|---|---|---|---|
Login |
3.5 – 3.5.2 |
3.5.3 |
|
User Preferences |
3.5 – 3.5.2 |
3.5.3 |
Our thanks to Marian Ventuneac (http://www.ventuneac.net) who reported the vulnerabilities mentioned above. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem.
Risk Mitigation
We recommend that you upgrade your Confluence installation to fix these vulnerabilities.
Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can disable public signup to your wiki until you have applied the necessary patch or upgrade. For even tighter control, you could restrict access to trusted groups.
We also recommend that you read our guidelines on best practices for configuring Confluence security.
Fix
These vulnerabilities (CONF-22402 and CONF-22479) are both fixed in Confluence 3.5.3, and later versions.
For a full description of the latest version of Confluence, see the release notes. You can download the latest version of Confluence from the download centre.
If you cannot upgrade to the latest version of Confluence, you can temporarily patch your existing installation using the patch listed below. We strongly recommend upgrading and not patching.
Patches
If you are running Confluence 3.5, we highly recommend that you upgrade to Confluence 3.5.3, or later.
If you are running Confluence 3.4, you can apply the following patch to fix the CONF-22479 vulnerability. The CONF-22402 vulnerability does not affect Confluence 3.4.
Vulnerability |
Patch |
Patch File Name |
|---|---|---|
User Preferences |
Attached to issue CONF-22479 |
Patch Procedure: Install the Patch
A patch is available for Confluence 3.4 – 3.4.9.
The patch addresses the following issue:
Security vulnerability in Confluence User Preferences (CONF-22479).
Applying the patch
If you are using Confluence 3.4 – 3.4.9:
- Download the CONF-22479_patch.zip file that is attached to the CONF-22479 issue.
- Stop Confluence.
- Make a backup of the <confluence_install_dir> directory.
- Expand the downloaded zip file into <confluence_install_dir>, overwriting the existing files.
- Check that the following files were created:
- confluence/WEB-INF/classes/com/atlassian/confluence/core/ConfluenceActionSupport.properties
- confluence/WEB-INF/classes/com/atlassian/confluence/languages/DefaultLocaleManager.class
- confluence/WEB-INF/classes/com/atlassian/confluence/user/actions/EditMySettingsAction.class
- Restart Confluence.
XSRF Vulnerability
Severity
Atlassian rates the severity level of both this vulnerability as medium, according to the scale published in Severity Levels for Security Issues for Security Issues. The scale allows us to rank the severity as critical, high, medium or low.
This vulnerability is not critical. This is an independent assessment and you should evaluate its applicability to your own IT environment.
Risk Assessment
We have identified and fixed a cross-site request forgery (XSRF) vulnerability that may affect Confluence instances, including publicly available instances (that is, Internet-facing servers). XSRF vulnerabilities allow an attacker to trick users into unintentionally adding bookmarks to Confluence spaces. You can read more about XSRF attacks at http://www.cgisecurity.com/csrf-faq.html and other places on the web.
Vulnerability
The table below describes the Confluence versions and the specific functionality affected by the XSRF vulnerability.
Confluence Feature |
Affected Confluence Version |
Fixed Version |
Issue Tracking |
|---|---|---|---|
Social Bookmarking plugin |
3.0 – 3.4.9 |
3.5 |
Risk Mitigation
We recommend that you upgrade your Confluence installation to fix these vulnerabilities.
Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can disable public signup to your wiki until you have applied the necessary patch or upgrade. For even tighter control, you could restrict access to trusted groups.
We also recommend that you read our guidelines on best practices for configuring Confluence security for configuring Confluence security.
Fix
This vulnerability (CONF-22565) is fixed in Confluence 3.5, and later versions.
For a full description of the latest version of Confluence, see the release notes. You can download the latest version of Confluence from the download centre.
If you cannot upgrade to the latest version of Confluence, you can temporarily patch your existing installation using the patch listed below. We strongly recommend upgrading and not patching.
Patches
If you are running Confluence 3.5, the CONF-22565 vulnerability is already fixed, but we highly recommend that you upgrade to the latest version of Confluence.
If you are running Confluence 3.4, you can apply the following patch to fix the CONF-22565 vulnerability.
For details on upgrading Confluence's plugins using the plugin manager, see:
Vulnerability |
Patch |
Patch File Name |
|---|---|---|
Social Bookmarking plugin |
Attached to issue CONF-22565 |
Patch Procedure: Install the Patch
A patch is available for Confluence 3.4 – 3.4.9.
The patch addresses the following issue:
- Security vulnerability in Confluence Settings Social Bookmarking plugin (CONF-22565).
Applying the patch
If you are using Confluence 3.4 – 3.4.9, use the plugin manager to upgrade the Social Bookmarking plugin to a version equal to or greater than that specified in the file name above.
For details on using the plugin manager, see Upgrading your Existing Plugins.