Confluence Security Advisory 2014-02-26

This advisory details a critical security vulnerability that we have found in Confluence and fixed in recent versions of Confluence.

  • Customers who have downloaded and installed Confluence should upgrade their existing Confluence installations or apply the patch to fix this vulnerability.  
  • Atlassian OnDemand customers have been upgraded with the fix for the issue described in this advisory.

The vulnerability affects all versions of Confluence up to and including 5.4.1.

Atlassian is committed to improving product security. We fully support the reporting of vulnerabilities and appreciate it when people work with us to identify and solve the problem.

If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com.

User privilege escalation

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in Severity Levels of Security Issues. The scale allows us to rank the severity as critical, high, moderate or low.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

Description

We have identified and fixed a vulnerability in Confluence which allowed unauthenticated users to commit actions on behalf of any other authorised user. In order to exploit this vulnerability, an attacker requires access to Confluence web interface.

The vulnerability affects all supported versions of Confluence up to and including 5.4.1.

(info) Versions 5.3.4, 5.4 and 5.4.1 are not vulnerable but require patches for compatibility purposes in order to be able to connect to patched or upgraded versions of JIRA and other Atlassian products. You do not need to patch these versions if you are not using Application Links with Trusted Applications authentication configured.

This issue has been fixed in 5.4.2. The issue is tracked in  CONF-31628 - Privilege escalation Resolved . 

Risk Mitigation

If you are unable to upgrade or patch your Confluence server you can do the following as a temporary workaround:

  • Block access to your Confluence server web interface from untrusted networks, such as the Internet.
  • Turn on Secure Administrator Sessions, this prevents privilege escalation to administrative accounts. Non-privileged accounts will still be vulnerable.

Fix

This vulnerability can be fixed by upgrading Confluence. There is also a patch available for this vulnerability for all supported versions of Confluence. If you have any questions, please raise a support request at support.atlassian.com. We recommend upgrading.

The Security Patch Policy describes when and how we release security patches and security upgrades for our products.  

Upgrading Confluence

Upgrade to Confluence 5.4.3 or a later version, which fixes this vulnerability. For a full description of these releases, see the Confluence Release Notes. You can download these versions of Confluence from the download centre.  If you have migrated from Atlassian OnDemand and are using Confluence 5.x-OD, you should upgrade to 5.4.3 or a later version.

Patches

We recommend patching only when you cannot upgrade or cannot apply external security controls. Patches are usually only provided for vulnerabilities of critical severity (as per our Security Patch Policy) as an interim solution until you can upgrade. You should not continually patch your system instead of upgrading. Our patches are often non-cumulative – we do not recommend that you apply multiple patches from different advisories on top of each other, and we strongly recommend upgrading to the most recent version regularly.

If for some reason you cannot upgrade to the latest version of Confluence, you must upgrade to the last minor version of the release (for example if you have Confluence 5.1.1, you will have to upgrade to 5.1.5) and then apply the patch provided below to fix the vulnerability described in this advisory.

1. Download the patch package.

Patches are provided for the last minor version of each major release. If you don't have the exact Confluence version installed, you will need to upgrade to the last minor version of the release in order to apply the patch (this means if you have Confluence 5.1.1, you will have to upgrade to 5.1.5 in order to be able to apply the patch)

Version
Patch Package
md5
Confluence 5.4.2 confluence-54-patch.zip 3997f741fef95850d9a41269d8b59f4b
Confluence 5.3.4 confluence-53-patch.zip ad8953649af0fb7c142aef4e87f7d9da
Confluence 5.2.5 confluence-52-patch.zip 27630883702d43d9a667fac4a59e9e04
Confluence 5.1.5 confluence-51-patch.zip 8832e26f9535ed854cb26f69195c1b75
Confluence 5.0.3 confluence-50-patch.zip 79f426f4e87b96e662bd9ad89a28003a
Confluence 4.3.7 confluence-43-patch.zip 070f07c330e1d5d752e182931ab0bc41
Confluence 4.2.13 confluence-42-patch.zip 038e111a8efbb1929740877a80800765
Confluence 4.1.10 confluence-41-patch.zip fc80d7a85502365eaa01d2cfb99c3015
Confluence 4.0.7 confluence-40-patch.zip 1444ff34ba01219621fc7e43ec358d71


2. In order to apply and check the patches, follow the steps for your specific operating system:

  • Linux / Unix
    Unzip the patch package and follow the instructions in the README.txt file. You can apply the patch using the script provided.
  • Windows
    Unzip the patch package and follow the instructions in the README.txt file. You will need to apply the patch manually. 

Was this helpful?

Thanks for your feedback!

Why was this unhelpful?

Have a question about this article?

See questions about this article

Powered by Confluence and Scroll Viewport