Confluence Security Advisory 2011-05-31

Confluence Security Overview and Advisories

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

It has been incorrectly advised previously that CONF-22479 (User Preferences) affects all versions starting 2.7 while in fact it is exploitable only in 3.5 and above. Our sincere apologies, this will not happen again.

You can still apply the patch to 3.4 in order to remove the root cause of this bug and potentially prevent other similar vulnerabilities from appearing

This advisory announces security vulnerabilities that we have found in Confluence and fixed in a recent version of Confluence. We also provide upgraded plugins and patches that you will be able to apply to existing installations of Confluence to fix these vulnerabilities. However, we recommend that you upgrade your complete Confluence installation rather than upgrading only the affected plugins. Enterprise Hosted customers should request an upgrade by raising a support request at http://support.atlassian.com. JIRA Studio is not vulnerable to the issues described in this advisory.

Atlassian is committed to improving product security. The vulnerabilities listed in this advisory have been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.

In this advisory:

XSS Vulnerabilities

Severity

Atlassian rates the severity level of both these vulnerabilities as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, medium or low.
These vulnerabilities are not critical. This is an independent assessment and you should evaluate its applicability to your own IT environment.

Risk Assessment

We have identified and fixed cross-site scripting (XSS) vulnerabilities that may affect Confluence instances, including publicly available instances (that is, Internet-facing servers). XSS vulnerabilities allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at cgisecurity.com, The Web Application Security Consortium and other places on the web.

Vulnerability

The table below describes the Confluence versions and the specific functionality affected by the XSS vulnerabilities.

Confluence Feature

Affected Confluence Version

Fixed Version

Issue Tracking

Login

3.5 – 3.5.2

3.5.3

CONF-22402

User Preferences

3.5 – 3.5.2

3.5.3

CONF-22479


Our thanks to Marian Ventuneac (http://www.ventuneac.net) who reported the vulnerabilities mentioned above. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem.

Risk Mitigation

We recommend that you upgrade your Confluence installation to fix these vulnerabilities.

Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can disable public signup to your wiki until you have applied the necessary patch or upgrade. For even tighter control, you could restrict access to trusted groups.

We also recommend that you read our guidelines on best practices for configuring Confluence security.

Fix

These vulnerabilities (CONF-22402 and CONF-22479) are both fixed in Confluence 3.5.3, and later versions.
For a full description of the latest version of Confluence, see the release notes. You can download the latest version of Confluence from the download centre.

If you cannot upgrade to the latest version of Confluence, you can temporarily patch your existing installation using the patch listed below. We strongly recommend upgrading and not patching.

Patches

If you are running Confluence 3.5, we highly recommend that you upgrade to Confluence 3.5.3, or later.
If you are running Confluence 3.4, you can apply the following patch to fix the CONF-22479 vulnerability. The CONF-22402 vulnerability does not affect Confluence 3.4.

Vulnerability

Patch

Patch File Name

User Preferences

Attached to issue CONF-22479

CONF-22479_patch.zip

Patch Procedure: Install the Patch

A patch is available for Confluence 3.4 – 3.4.9.

The patch addresses the following issue:

Security vulnerability in Confluence User Preferences (CONF-22479).

Applying the patch

If you are using Confluence 3.4 – 3.4.9:

  1. Download the CONF-22479_patch.zip file that is attached to the CONF-22479 issue.
  2. Stop Confluence.
  3. Make a backup of the <confluence_install_dir> directory.
  4. Expand the downloaded zip file into <confluence_install_dir>, overwriting the existing files.
  5. Check that the following files were created:
    • confluence/WEB-INF/classes/com/atlassian/confluence/core/ConfluenceActionSupport.properties
    • confluence/WEB-INF/classes/com/atlassian/confluence/languages/DefaultLocaleManager.class
    • confluence/WEB-INF/classes/com/atlassian/confluence/user/actions/EditMySettingsAction.class
  6. Restart Confluence.

XSRF Vulnerability

Severity

Atlassian rates the severity level of both this vulnerability as medium, according to the scale published in Severity Levels for Security Issues for Security Issues. The scale allows us to rank the severity as critical, high, medium or low.
This vulnerability is not critical. This is an independent assessment and you should evaluate its applicability to your own IT environment.

Risk Assessment

We have identified and fixed a cross-site request forgery (XSRF) vulnerability that may affect Confluence instances, including publicly available instances (that is, Internet-facing servers). XSRF vulnerabilities allow an attacker to trick users into unintentionally adding bookmarks to Confluence spaces. You can read more about XSRF attacks at http://www.cgisecurity.com/csrf-faq.html and other places on the web.

Vulnerability

The table below describes the Confluence versions and the specific functionality affected by the XSRF vulnerability.

Confluence Feature

Affected Confluence Version

Fixed Version

Issue Tracking

Social Bookmarking plugin

3.0 – 3.4.9

3.5

CONF-22565

Risk Mitigation

We recommend that you upgrade your Confluence installation to fix these vulnerabilities.

Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can disable public signup to your wiki until you have applied the necessary patch or upgrade. For even tighter control, you could restrict access to trusted groups.

We also recommend that you read our guidelines on best practices for configuring Confluence security for configuring Confluence security.

Fix

This vulnerability (CONF-22565) is fixed in Confluence 3.5, and later versions.
For a full description of the latest version of Confluence, see the release notes. You can download the latest version of Confluence from the download centre.

If you cannot upgrade to the latest version of Confluence, you can temporarily patch your existing installation using the patch listed below. We strongly recommend upgrading and not patching.

Patches

If you are running Confluence 3.5, the CONF-22565 vulnerability is already fixed, but we highly recommend that you upgrade to the latest version of Confluence.
If you are running Confluence 3.4, you can apply the following patch to fix the CONF-22565 vulnerability.

For details on upgrading Confluence's plugins using the plugin manager, see:

Vulnerability

Patch

Patch File Name

Social Bookmarking plugin

Attached to issue CONF-22565

socialbookmarking-1.3.9.jar

Patch Procedure: Install the Patch

A patch is available for Confluence 3.4 – 3.4.9.

The patch addresses the following issue:

  • Security vulnerability in Confluence Settings Social Bookmarking plugin (CONF-22565).
Applying the patch

If you are using Confluence 3.4 – 3.4.9, use the plugin manager to upgrade the Social Bookmarking plugin to a version equal to or greater than that specified in the file name above.
For details on using the plugin manager, see Upgrading your Existing Plugins.

Last modified on Jun 2, 2011

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.