Confluence Security Advisory 2014-05-21

This advisory discloses a critical security vulnerability that we have found in Confluence and fixed in a recent version of Confluence.

  • Customers who have downloaded and installed Confluence should upgrade their existing Confluence installations or apply the patch to fix this vulnerability.  
  • Atlassian OnDemand customers have been upgraded with the fix for the issue described in this advisory.
  • No other Atlassian products are affected.

The vulnerability affects all versions of Confluence up to and including 5.5.1

Atlassian is committed to improving product security. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem.

If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com.

ClassLoader manipulation vulnerability

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in Severity Levels of Security Issues. The scale allows us to rank the severity as critical, high, moderate or low.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

Description

We have fixed a vulnerability in our version of an Xwork library which is also part of Apache Struts. Attackers can use this vulnerability to execute Java code of their choice on systems that use these frameworks. The attacker needs to be able to access the Confluence web interface. In cases when anonymous access is enabled, a valid user account is not required to exploit this vulnerability.

We have discovered this vulnerability during our review of the recent Struts security advisories. This vulnerability is specific to Confluence.

The vulnerability affects all versions of Confluence up to and including 5.5.1 Confluence 5.5.2 is not vulnerable. The issue is tracked in  CONF-33515 - ClassLoader Manipulation vulnerability Resolved .

Risk Mitigation

If you are unable to upgrade or patch your Confluence server you can do the following as a temporary workaround:

  • Block at a reverse proxy or a firewall all requests matching the following regular expression pattern in request parameters. Note that the example does not account for any URL encoding that may be present.

    .*[?&](.*\.||.*|\[('|"))(c|C)lass(\.|('|")]|\[).*

Fix

This vulnerability can be fixed by upgrading Confluence.  There is also a patch available for this vulnerability for all supported versions of Confluence.  We recommend upgrading.

There is no upgrade available for Confluence Cluster, its users currently need to apply the patch as described below.

The Security Patch Policy describes when and how we release security patches and security upgrades for our products.  

Upgrading Confluence

Upgrade to Confluence 5.5.2 or a later version, which fixes this vulnerability. For a full description of these releases, see the Confluence Release Notes. You can download these versions of Confluence from the download center.

Patches

Patches are usually only provided for vulnerabilities of critical severity (as per our Security Patch Policy) as an interim solution until you can upgrade. You should not expect that you can continue patching your system instead of upgrading. Our patches are often non-cumulative – we do not recommend that you apply multiple patches from different advisories on top of each other, but strongly recommend upgrading to the most recent version regularly.

If for some reason you cannot upgrade to the latest version of Confluence, you must apply the patch provided below to fix the vulnerability described in this advisory. It has been tested for all supported versions of Confluence and may work for unsupported versions as well.

Patching supported versions of Confluence 4.2 - 5.5.1
  1. Download the patch file.

    Version
    Patch
    Tracking issue
    Confluence 4.2 - 5.5.1 atlassian-xwork-core-1.17.jar CONF-33515 - ClassLoader Manipulation vulnerability Resolved

    MD5 (atlassian-xwork-core-1.17.jar) = 3e05c38578eec3583b9d5ef5e28fd058

  2. Shut down Confluence.
  3. Move file <CONFLUENCE-INSTALL>/confluence/WEB-INF/lib/atlassian-xwork-core-1.13.jar to a location outside the <CONFLUENCE-INSTALL> folder.
  4. Add the downloaded atlassian-xwork-core-1.17.jar file to folder <CONFLUENCE-INSTALL>/confluence/WEB-INF/lib/.
  5. Start up Confluence again.

To confirm that you have applied the patch successfully, check the version of the xwork jar that has been loaded into Confluence as follows.

  1. Log in as administrator.
  2. Navigate to /admin/classpath.action URL on your instance and search for "/atlassian-xwork-core". 
  3. There should be a single hit: atlassian-xwork-core-1.17.jar . This confirms that the patch has been correctly applied.
Patching EOL version of Confluence 4.1

For 4.1, follow the same steps as above with atlassian-xwork-core-1.17.jar.

Patching EOL versions of Confluence 3.5 - 4.0
  1. Download three files as described in the table below

    Version
    Patch
    Tracking issue
    Confluence 3.5 - 4.0 atlassian-xwork-10-1.17.jar
    atlassian-xwork-core-1.17.jar
    xwork-1.0.3.6.jar 
    CONF-33738 - Patch for Security advisory 2014-05-21 doesn't work in Confluence 3.5.X Resolved

    MD5 (atlassian-xwork-10-1.17.jar) = 789acc22737e29577b9e843d5faf0317
    MD5 (atlassian-xwork-core-1.17.jar) = 3e05c38578eec3583b9d5ef5e28fd058 
    MD5 (xwork-1.0.3.6.jar) = 59c8950b1129637bb63aea94b4139d7f 

  2. Shutdown confluence
  3. Move the following files to a location outside of the <CONFLUENCE-INSTALL> folder:
    1. <CONFLUENCE-INSTALL>/confluence/WEB-INF/lib/atlassian-xwork-10.1.12.jar
    2. <CONFLUENCE-INSTALL>/confluence/WEB-INF/lib/atlassian-xwork-core.1.12.jar
    3. <CONFLUENCE-INSTALL>/confluence/WEB-INF/lib/xwork-1.0.3.2.jar
  4. Add the downloaded files to the <CONFLUENCE-INSTALL>/confluence/WEB-INF/lib/ folder.
  5. Start up Confluence again

To confirm that you have applied the patch successfully, check the version of the xwork jar that has been loaded into Confluence as follows.

  1. Log in as administrator.
  2. Navigate to /admin/classpath.action URL on your instance and search for "xwork". 
  3. There should be three hits: atlassian-xwork-10-1.17.jar, atlassian-xwork-core-1.17.jar and xwork-1.0.3.6.jar. This confirms that the patch has been correctly applied.

Was this helpful?

Thanks for your feedback!

Why was this unhelpful?

Have a question about this article?

See questions about this article

Powered by Confluence and Scroll Viewport