Confluence Security Advisory 2014-02-26
This advisory details a critical security vulnerability that we have found in Confluence and fixed in recent versions of Confluence.
- Customers who have downloaded and installed Confluence should upgrade their existing Confluence installations or apply the patch to fix this vulnerability.
- Atlassian OnDemand customers have been upgraded with the fix for the issue described in this advisory.
The vulnerability affects all versions of Confluence up to and including 5.4.1.
Atlassian is committed to improving product security. We fully support the reporting of vulnerabilities and appreciate it when people work with us to identify and solve the problem.
If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com.
User privilege escalation
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in. The scale allows us to rank the severity as critical, high, moderate or low.
This is an independent assessment and you should evaluate its applicability to your own IT environment.
We have identified and fixed a vulnerability in Confluence which allowed unauthenticated users to commit actions on behalf of any other authorised user. In order to exploit this vulnerability, an attacker requires access to Confluence web interface.
The vulnerability affects all supported versions of Confluence up to and including 5.4.1.
Versions 5.3.4, 5.4 and 5.4.1 are not vulnerable but require patches for compatibility purposes in order to be able to connect to patched or upgraded versions of JIRA and other Atlassian products. You do not need to patch these versions if you are not using Application Links with Trusted Applications authentication configured.
This issue has been fixed in 5.4.2. The issue is tracked in CONF-31628 - Privilege escalation Resolved .
If you are unable to upgrade or patch your Confluence server you can do the following as a temporary workaround:
- Block access to your Confluence server web interface from untrusted networks, such as the Internet.
- Turn on Secure Administrator Sessions, this prevents privilege escalation to administrative accounts. Non-privileged accounts will still be vulnerable.
This vulnerability can be fixed by upgrading Confluence. There is also a patch available for this vulnerability for all supported versions of Confluence. If you have any questions, please raise a support request at support.atlassian.com. We recommend upgrading.
The Security Patch Policy describes when and how we release security patches and security upgrades for our products.
Upgrade to Confluence 5.4.3 or a later version, which fixes this vulnerability. For a full description of these releases, see the Confluence Release Notes. You can download these versions of Confluence from the download centre. If you have migrated from Atlassian OnDemand and are using Confluence 5.x-OD, you should upgrade to 5.4.3 or a later version.
We recommend patching only when you cannot upgrade or cannot apply external security controls. Patches are usually only provided for vulnerabilities of critical severity (as per our
If for some reason you cannot upgrade to the latest version of Confluence, you must upgrade to the last minor version of the release (for example if you have Confluence 5.1.1, you will have to upgrade to 5.1.5) and then apply the patch provided below to fix the vulnerability described in this advisory.
1. Download the patch package.
Patches are provided for the last minor version of each major release. If you don't have the exact Confluence version installed, you will need to upgrade to the last minor version of the release in order to apply the patch (this means if you have Confluence 5.1.1, you will have to upgrade to 5.1.5 in order to be able to apply the patch)
2. In order to apply and check the patches, follow the steps for your specific operating system:
- Linux / Unix
Unzip the patch package and follow the instructions in the README.txt file. You can apply the patch using the script provided.
Unzip the patch package and follow the instructions in the README.txt file. You will need to apply the patch manually.
Was this helpful?
Thanks for your feedback!