Confluence Security Advisory 2013-08-05
This advisory discloses a critical security vulnerability that we have found in Confluence and fixed in a recent version of Confluence.
- Customers who have downloaded and installed Confluence should upgrade their existing Confluence installations or apply the patch to fix this vulnerability.
- Atlassian OnDemand customers have been upgraded with the fix for the issue described in this advisory.
- No other Atlassian products are affected.
The vulnerability affects all versions of Confluence up to and including 5.1.4.
Atlassian is committed to improving product security. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem.
If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com.
OGNL double evaluation in atlassian-xwork
Severity
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in Severity Levels of Security Issues. The scale allows us to rank the severity as critical, high, moderate or low.
This is an independent assessment and you should evaluate its applicability to your own IT environment.
Description
We have fixed a vulnerability in our version of Xwork. In specific circumstances, attackers can use this vulnerability to execute Java code of their choice on systems that use these frameworks. The attacker needs to be able to access the Confluence web interface. In cases when anonymous access is enabled, a valid user account is not required to exploit this vulnerability.
The vulnerability affects all versions of Confluence up to and including 5.1.4. It has been fixed in 5.1.5. The issue is tracked in CONF-30221 - Getting issue details... STATUS .
Our thanks to Reginaldo Silva (http://www.ubercomp.com/) who reported the vulnerability in this advisory.
Risk Mitigation
If you are unable to upgrade or patch your Confluence server you can do the following as a temporary workaround:
Block access to all URLs on a Web Application Firewall or a reverse proxy that contain a string "${" in URL parameters or request body. Note that this string can be URL-encoded. Do not apply this or a similar filter together with the patch provided below, as the login page will break.
- Block access to your Confluence server web interface from untrusted networks, such as the Internet.
Fix
This vulnerability can be fixed by upgrading Confluence. There is also a patch available for this vulnerability for all supported versions of Confluence. If you have any questions, please raise a support request at http://support.atlassian.com. We recommend upgrading.
The Security Patch Policy describes when and how we release security patches and security upgrades for our products.
Upgrading Confluence
Upgrade to Confluence 5.1.5 or a later version, which fixes this vulnerability. For a full description of these releases, see the Confluence Release Notes. You can download these versions of Confluence from the download centre. If you have migrated from Atlassian OnDemand and are using Confluence 5.x-OD, you should upgrade to 5.2-OD-13-1.
Patches
We recommend patching only when you cannot upgrade or cannot apply external security controls. Patches are usually only provided for vulnerabilities of critical severity (as per our Security Patch Policy) as an interim solution until you can upgrade. You should not expect that you can continue patching your system instead of upgrading. Our patches are often non-cumulative – we do not recommend that you apply multiple patches from different advisories on top of each other, but strongly recommend upgrading to the most recent version regularly.
If for some reason you cannot upgrade to the latest version of Confluence, you must apply the patch provided below to fix the vulnerability described in this advisory. It has been tested for all supported versions of Confluence and may work for unsupported versions as well.
Download the patch file.
VersionPatchTracking issue Confluence 3.5 - 5.1.4 xwork-1.0.3.6.jar CONF-30221 - Getting issue details... STATUS MD5 (xwork-1.0.3.6.jar) = 59c8950b1129637bb63aea94b4139d7f
- Shutdown Confluence.
- Move file
<CONFLUENCE-INSTALL>/confluence/WEB-INF/lib/xwork-1.x.x.x.jar
to a location outside the<CONFLUENCE-INSTALL>
folder. - Add the downloaded xwork-1.0.3.6.jar file to folder
<CONFLUENCE-INSTALL>/confluence/WEB-INF/lib/
. Start up Confluence again.
To confirm that you have applied the patch successfully, check the version of the xwork jar that has been loaded into Confluence as follows.
- Log in as administrator.
- Navigate to /admin/classpath.action URL on your instance and search for "/xwork-".
- There should be a single hit: xwork-1.0.3.6.jar. This confirms that the patch has been correctly applied.
Note: This patch has the following side effect.
If you have configured all of the below:
- allowed anonymous access in global permissions
- allowed anonymous view in space permissions
- restricted some content in that space so that anonymous cannot view it
then any time a non-logged-in user tries to view the restricted content they will be redirected to a login page normally, but once they are logged in they will be redirected to the site homepage, not their original destination.
Workaround: Once the user has logged in, they should manually navigate back to the page they intended to view.