Confluence Security Advisory - 2015-01-21

Note: As of September 2014, we no longer provide binary bug patches. Instead we create new maintenance releases for the major versions we backport to. Please see our Security Bug fix Policy for more details. As this policy is new and in transition, in this instance we have also provided patches for Confluence versions from 4.3.x to 5.6.x

Date of Advisory: 21st January 2015

Product: Atlassian Confluence

Summary of Vulnerability

This advisory discloses a critical severity security vulnerability that exists in all versions of Confluence up to and including 5.6.

Atlassian Cloud customers are not affected by any of the issues described in this advisory.

  • Customers who have downloaded and installed Confluence Server should upgrade their existing Confluence installations to fix this vulnerability.

Atlassian is committed to improving product security. The vulnerability listed in this advisory has been discovered internally by Atlassian.

OGNL Double Evaluation Vulnerability

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

Description

We have discovered and fixed a vulnerability in our fork of WebWork. Attackers can use this vulnerability to execute Java code of their choice on systems that use this framework. The attacker needs to have an account and be able to access the Confluence web interface.

All versions of Confluence up to and including 5.6 are affected by this vulnerability. This issue can be tracked here: CONF-36080 - OGNL Double Evaluation Vulnerability Resolved

Risk Mitigation

If you are unable to upgrade your Confluence server you can do the following as a temporary workaround:

  • Block access to your Confluence server web interface from untrusted networks, such as the Internet.
  • Block at a reverse proxy or a firewall all requests matching the following regular expression pattern in URI parameters.

    .*(?:[{(]|%7B|%28).*(?:[})]|%7D|%29).*

Fix

Releases 5.5.7, 5.6.6 (and any subsequent newer releases) are available to fix the vulnerability for versions 5.5 and 5.6. You can download these releases from:

If you have migrated from Atlassian Cloud to run Confluence locally and are using a Confluence 5.x-OD-xx-xxx install, you should follow the instructions to apply the security patch or upgrade to Confluence 5.7.

Upgrade (recommended)

The vulnerabilities and fix versions are described in the sections above.

Atlassian recommend that you upgrade to the latest version. For a full description of the latest version of Confluence, see the its release notes.

Patches

As this policy is new and in transition, in this instance we have also provided patches for Confluence versions from 4.3.x to 5.6.x

You should not expect that you can continue patching your system instead of upgrading. Our patches are often non-cumulative – we do not recommend that you apply multiple patches from different advisories on top of each other, but strongly recommend upgrading to the most recent version regularly.

If for some reason you cannot upgrade to the latest version of Confluence, you must apply the patch provided below to fix the vulnerability described in this advisory. It has been tested for all supported versions of Confluence and may work for unsupported versions as well.

Patching supported versions of Confluence 4.3.x - 5.6.x

  1. Download the patch file.

    Version Patch MD5
    4.3.x - 5.6.x webwork-2.1.5-atlassian-3.jar 348ea1f5a0ebd5ab23827d551ef33fce
  2. Shut down Confluence.
  3. Move file <CONFLUENCE-INSTALL>/confluence/WEB-INF/lib/webwork-X.X.X-atlassian-X.jar to a location outside the <CONFLUENCE-INSTALL> folder.
  4. Add the downloaded webwork-2.1.5-atlassian-3.jar file to folder <CONFLUENCE-INSTALL>/confluence/WEB-INF/lib/.
  5. Start up Confluence again.

To confirm that you have applied the patch successfully, check the version of the webwork .jar that has been loaded into Confluence as follows.

  1. Log in as administrator.
  2. Navigate to /admin/classpath.action URL on your instance and search for "/webwork-". 
  3. There should be a single hit: webwork-2.1.5-atlassian-3.jar . This confirms that the patch has been correctly applied.

Support

If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com/.

References

Security Bug fix Policy

As per our new policy, critical security bug fixes will be back ported to major software versions for up to 12 months for Confluence.  We will release new maintenance releases for the versions covered by the new policy instead of binary patches.

Binary patches will no longer be released.
Severity Levels for security issues Atlassian security advisories include a severity level. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org.

Was this helpful?

Thanks for your feedback!

Why was this unhelpful?

Have a question about this article?

See questions about this article

Powered by Confluence and Scroll Viewport