Confluence Security Advisory - 2019-03-20
March 2019 Confluence Server Advisory - WebDAV and Widget Connector vulnerabilities
Summary | March 2019 Confluence Server and Data Center Advisory - WebDAV and Widget Connector vulnerabilities |
---|---|
Advisory release date | 20 Mar 2019 10:00 AM PDT (Pacific Time, -7 hours) |
Products |
|
Affected versions |
|
Fixed versions |
|
CVE ID(s) |
|
Summary of vulnerabilities
This advisory discloses two critical severity security vulnerabilities in Confluence Server and Confluence Data Center.
Customers who have upgraded to Confluence Server or Data Center versions 6.6.12, 6.12.3, 6.13.3, 6.14.2 or higher are not affected. Customers using Confluence Cloud are not affected. |
Customers who have downloaded and installed these versions of Confluence Server or Data Center are affected:
Please upgrade your Confluence Server or Data Center installations immediately to fix this vulnerability. |
WebDAV vulnerability - CVE-2019-3395
Severity
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT environment.
Description
Confluence Server and Data Center versions released before the 18th June 2018 are vulnerable to this issue. A remote attacker is able to exploit a Server-Side Request Forgery (SSRF) vulnerability in the WebDAV plugin to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance.
All versions of Confluence Server and Confluence Data Center before version 6.6.7, from version 6.7.0 before 6.8.5 (the fixed version for 6.8.x), from version 6.9.0 before 6.9.3 (the fixed version for 6.9.x).
This issue can be tracked here: CONFSERVER-57971 - Getting issue details... STATUS
Acknowledgements
Credit for finding this vulnerability goes to Shubham Shah from Assetnote (https://assetnote.io) and Orange Tsai from DEVCORE (https://devco.re).
Widget Connector vulnerability - CVE-2019-3396
Severity
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT environment.
Description
There was an server-side template injection vulnerability in Confluence Server and Data Center, in the Widget Connector. An attacker is able to exploit this issue to achieve server-side template injection, path traversal and remote code execution on systems that run a vulnerable version of Confluence Server or Data Center.
All versions of Confluence Server and Confluence Data Center before version 6.6.12, from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x) and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x).
This issue can be tracked here: CONFSERVER-57974 - Getting issue details... STATUS
Acknowledgements
Credit for finding this vulnerability goes to Daniil Dmitriev (https://twitter.com/ddv_ua).
Fix
We have taken the following steps to address these issues:
Released Confluence Server and Data Center versions 6.15.1 that contains fixes for these issues and can be be downloaded from https://www.atlassian.com/software/confluence/download/ and https://atlassian.com/software/confluence/download/data-center
Released Confluence Server and Data Center versions 6.6.12, 6.12.3, 6.13.3 and 6.14.2 that contains fixes for these issues and can be be downloaded from https://www.atlassian.com/software/confluence/download-archives
What you need to do
Atlassian recommends that you upgrade to the latest version (6.15.1). For a full description of the latest version of Confluence Server and Data Center, see the Release Notes. You can download the latest version of Confluence from the Atlassian website.
If you can’t upgrade to the latest version (6.15.1):
(1) If you have a current feature version (a feature version released on 4th October 2018 or later), upgrade to the next bugfix version of your current feature version.
If you have feature version… | …then upgrade to this bugfix version: |
---|---|
6.12.0, 6.12.1, 6.12.2 | 6.12.3 |
6.14.0, 6.14.1 | 6.14.2 |
(2) If you have a current enterprise release version (an enterprise release version released on 4th April 2017 or later), upgrade to the latest version of your enterprise release version.
If you have enterprise release version… | …then upgrade to this version: |
---|---|
6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11 | 6.6.12 |
6.13.0, 6.13.1, 6.13.2 | 6.13.3 |
(3) If you have an older version (a feature version released before 4th October 2018, or an enterprise release version released before 4th April 2017), either upgrade to the latest version of Confluence Server or Data Center, or to the latest version of an enterprise release version.
If you have older version… | …then upgrade to any of these versions: |
---|---|
1.x.x 2.x.x 3.x.x 4.x.x 5.x.x 6.0.x, 6.1.x, 6.2.x, 6.3.x, 6.4.x, 6.5.x 6.7.x, 6.8.x, 6.9.x, 6.10.x, 6.11.x | 6.14.2 6.13.3 6.6.12 |
Mitigation
If you are unable to upgrade Confluence immediately, then as a temporary workaround, you can go to Administration menu > Manage apps / add-ons select System, and disable the following system plugins in Confluence:
- WebDAV plugin
- Widget Connector
If you disable the Widget Connector plugin, the Widget Connector macro will not be available. This macro is used to display content from websites like YouTube, Vimeo, and Twitter. Users will see an 'unknown macro' error.
If you disable the WebDAV plugin, you will not be able to connect to Confluence using a WebDAV client. Disabling this plugin will also automatically disable the Office Connector plugin, which means Office Connector features such as Import from Word, and Edit in Office will not be available. Note that because WebDAV is not required to edit files from Confluence 6.11 and later, you will still be able to edit files in those versions.
After upgrading, you will need to manually re-enable:
- WebDAV plugin
- Widget Connector
- Office Connector.
Support
If you did not receive an email for this advisory and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails.
If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/.
References
Our SLAs and guarantees for bugfixes. | |
Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org. | |
Our end of life policy varies for different products. Please refer to the policy for details. |