Confluence Security Advisory - 2019-03-20

Confluence Security Overview and Advisories

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

March 2019 Confluence Server Advisory - WebDAV and Widget Connector vulnerabilities

Summary

March 2019 Confluence Server and Data Center Advisory - WebDAV and Widget Connector vulnerabilities

Advisory release date

20 Mar 2019 10:00 AM PDT (Pacific Time, -7 hours)

Products

  • Confluence Server

  • Confluence Data Center

Affected versions

  • All 1.x.x, 2.x.x, 3.x.x, 4.x.x and 5.x.x versions

  • All 6.0.x, 6.1.x, 6.2.x, 6.3.x, 6.4.x, and 6.5.x versions

  • All 6.6.x versions before 6.6.12

  • All 6.7.x, 6.8.x, 6.9.x, 6.10.x and 6.11.x versions

  • All 6.12.x versions before 6.12.3

  • All 6.13.x versions before 6.13.3

  • All 6.14.x versions before 6.14.2

Fixed versions

  • Version 6.6.12 and higher versions of 6.6.x

  • Version 6.12.3 and higher versions of 6.12.x

  • Version 6.13.3 and higher versions of 6.13.x

  • Version 6.14.2 and higher

CVE ID(s)

  • CVE-2019-3395

  • CVE-2019-3396

Summary of vulnerabilities

This advisory discloses two critical severity security vulnerabilities in Confluence Server and Confluence Data Center.

Customers who have upgraded to Confluence Server or Data Center versions 6.6.12, 6.12.3, 6.13.3, 6.14.2 or higher are not affected.

Customers using Confluence Cloud are not affected.

Customers who have downloaded and installed these versions of Confluence Server or Data Center are affected:

  • All 1.x.x, 2.x.x, 3.x.x, 4.x.x and 5.x.x versions

  • All 6.0.x, 6.1.x, 6.2.x, 6.3.x, 6.4.x, and 6.5.x versions

  • All 6.6.x versions before 6.6.12

  • All 6.7.x, 6.8.x, 6.9.x, 6.10.x and 6.11.x versions

  • All 6.12.x versions before 6.12.3

  • All 6.13.x versions before 6.13.3

  • All 6.14.x versions before 6.14.2

Please upgrade your Confluence Server or Data Center installations immediately to fix this vulnerability.

WebDAV vulnerability - CVE-2019-3395

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate its applicability to your own IT environment.

Description

Confluence Server and Data Center versions released before the 18th June 2018 are vulnerable to this issue. A remote attacker is able to exploit a Server-Side Request Forgery (SSRF) vulnerability in the WebDAV plugin to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance.

All versions of Confluence Server and Confluence Data Center before version 6.6.7, from version 6.7.0 before 6.8.5 (the fixed version for 6.8.x), from version 6.9.0 before 6.9.3 (the fixed version for 6.9.x). 

This issue can be tracked here:  CONFSERVER-57971 - Getting issue details... STATUS

Acknowledgements

Credit for finding this vulnerability goes to Shubham Shah from Assetnote (https://assetnote.io) and Orange Tsai from DEVCORE (https://devco.re).

Widget Connector vulnerability - CVE-2019-3396

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate its applicability to your own IT environment.

Description

There was an server-side template injection vulnerability in Confluence Server and Data Center, in the Widget Connector. An attacker is able to exploit this issue to achieve server-side template injection, path traversal and remote code execution on systems that run a vulnerable version of Confluence Server or Data Center.

All versions of Confluence Server and Confluence Data Center before version 6.6.12, from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x) and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x). 

This issue can be tracked here:  CONFSERVER-57974 - Getting issue details... STATUS

Acknowledgements

Credit for finding this vulnerability goes to Daniil Dmitriev (https://twitter.com/ddv_ua).


Fix

We have taken the following steps to address these issues:

What you need to do

Atlassian recommends that you upgrade to the latest version (6.15.1). For a full description of the latest version of Confluence Server and Data Center, see the Release Notes. You can download the latest version of Confluence from the Atlassian website.

If you can’t upgrade to the latest version (6.15.1):

(1) If you have a current feature version (a feature version released on 4th October 2018 or later), upgrade to the next bugfix version of your current feature version.

If you have feature version…

…then upgrade to this bugfix version:

6.12.0, 6.12.1, 6.12.2

6.12.3

6.14.0, 6.14.1

6.14.2

(2) If you have a current enterprise release version (an enterprise release version released on 4th April 2017 or later), upgrade to the latest version of your enterprise release version.

If you have enterprise release version…

…then upgrade to this version:

6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11

6.6.12

6.13.0, 6.13.1, 6.13.2

6.13.3

(3) If you have an older version (a feature version released before 4th October 2018, or an enterprise release version released before 4th April 2017), either upgrade to the latest version of Confluence Server or Data Center, or to the latest version of an enterprise release version.

If you have older version…

…then upgrade to any of these versions:

1.x.x

2.x.x

3.x.x

4.x.x

5.x.x

6.0.x, 6.1.x, 6.2.x, 6.3.x, 6.4.x, 6.5.x

6.7.x, 6.8.x, 6.9.x, 6.10.x, 6.11.x

6.14.2

6.13.3

6.6.12

Mitigation

If you are unable to upgrade Confluence immediately, then as a temporary workaround, you can go to Administration  > Manage apps / add-ons select System, and disable the following system plugins in Confluence:

  • WebDAV plugin
  • Widget Connector

If you disable the Widget Connector plugin, the Widget Connector macro will not be available. This macro is used to display content from websites like YouTube, Vimeo, and Twitter. Users will see an 'unknown macro' error. 

If you disable the WebDAV plugin, you will not be able to connect to Confluence using a WebDAV client. Disabling this plugin will also automatically disable the Office Connector plugin, which means Office Connector features such as Import from Word, and Edit in Office will not be available. Note that because WebDAV is not required to edit files from Confluence 6.11 and later, you will still be able to edit files in those versions. 

After upgrading, you will need to manually re-enable:

  • WebDAV plugin
  • Widget Connector
  • Office Connector.

Support

If you did not receive an email for this advisory and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails.

If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/.

References

Security Bugfix Policy

Our SLAs and guarantees for bugfixes.

Severity Levels for security issues

Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org.

End of Life Policy

Our end of life policy varies for different products. Please refer to the policy for details.

Last modified on Apr 3, 2019

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.