Confluence Security Advisory 2012-05-17
This advisory discloses a critical security vulnerability that exists in all versions of Confluence up to and including 4.1.9.
- Customers who have downloaded and installed Confluence should upgrade their existing Confluence installations to fix this vulnerability.
- Enterprise Hosted customers need to request an upgrade by raising a support request at http://support.atlassian.com in the "Enterprise Hosting Support" project.
- JIRA Studio and Atlassian OnDemand customers are not affected by any of the issues described in this advisory.
Atlassian is committed to improving product security. The vulnerability listed in this advisory has been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.
If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com/.
In this advisory:
Critical XML Parsing Vulnerability
Severity
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low.
This is an independent assessment and you should evaluate its applicability to your own IT environment.
Description
We have identified and fixed a vulnerability in Confluence that results from the way third-party XML parsers are used in Confluence. This vulnerability allows an attacker to:
- execute denial of service attacks against the Confluence server, or
- read all local files readable to the system user under which Confluence runs.
The attacker does not need to have an account with the affected Confluence instance.
All versions of Confluence up to and including 4.1.9 are affected by this vulnerability. This issue can be tracked here: CONF-25077 - Getting issue details... STATUS
The Gliffy for Confluence plugin is also vulnerable to this exploit. If you are using the Gliffy plugin for Confluence with any version of Confluence, you will need to upgrade it (see 'Fix' section below) or disable it.
Risk Mitigation
We recommend that you upgrade your Confluence installation to fix this vulnerability.
Alternatively, if you are not in a position to upgrade immediately, you should do all of the following until you can upgrade. Please note, these measures will only limit the impact of the vulnerability, they will not mitigate it completely.
- Disable access to the SOAP and XML-RPC APIs, if these remote APIs are not required. Note, remote API access is disabled by default. See enabling remote APIs for instructions.
Disable the following plugins/plugin modules (see Disabling and enabling apps):- Office Connector plugin
- JUnitReport macro module of the confluence-advanced-macros plugin (called "Advanced Macros" in the interface)
- confluence-jira3-macros plugin (called "JIRA Macros" in the interface)
- WebDAV
- Disable public access (such as anonymous access and public signup) to Confluence until you have upgraded.
- Ensure that your Confluence system user is restricted as described in best practices for configuring Confluence security.
Fix
Upgrade
- Upgrade to Confluence 4.2 or later which fixes this vulnerability. For a full description of this release, see the Confluence 4.2 Release Notes. The following releases have also been made available to fix these issues in older Confluence versions. You can download these versions of Confluence from the download centre.
- Confluence 4.1.10 for Confluence 4.1
- Confluence 4.0.7 for Confluence 4.0
- Confluence 3.5.17 for Confluence 3.5
Upgrade the following Confluence third-party plugins, if you are using them. The table below describes which version of the plugin you should upgrade to, depending on your Confluence version. See Updating Add-ons for instructions on how to update a plugin.
Plugin Confluence 4.2 Confluence 4.1 Confluence 4.0 Confluence 3.5 Gliffy plugin for Confluence
4.2 4.2 4.2 4.2
Patches
There are no patches available for this vulnerability. Due to the extent of the changes required to fix the vulnerability, it is not possible to provide patches that resolve the issue without compromising the reliability of Confluence. You must upgrade to fix this vulnerability.