Confluence Security Advisory - 2019-04-17

Confluence Security Overview and Advisories

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

Confluence - Path traversal vulnerability - CVE-2019-3398

SummaryCVE-2019-3398 - Path traversal in the downloadallattachments resource
Advisory Release Date

  10 AM PDT (Pacific Time, -7 hours)

Products
  • Confluence Server
  • Confluence Data Center

Affected Confluence Server Versions

  • 2.0.0 <= version < 6.6.13
  • 6.7.0 <= version < 6.12.4
  • 6.13.0 <= version < 6.13.4
  • 6.14.0 <= version < 6.14.3
  • 6.15.0 <= version < 6.15.2
Click here to expand...
  • All 2.x.x versions
  • All 3.x.x versions
  • All 4.x.x versions
  • All 5.x.x versions
  • All 6.0.x versions
  • All 6.1.x versions
  • All 6.2.x versions
  • All 6.3.x versions
  • All 6.4.x versions
  • All 6.5.x versions
  • All 6.6.x versions before 6.6.13
  • All 6.7.x versions
  • All 6.8.x versions
  • All 6.9.x versions
  • All 6.10.x versions
  • All 6.11.x versions
  • All 6.12.x versions before 6.12.4
  • All 6.13.x versions before 6.13.4
  • All 6.14.x versions before 6.14.3
  • All 6.15.x versions before 6.15.2

Fixed Confluence Server Versions

  • 6.6.13
  • 6.12.4
  • 6.13.4
  • 6.14.3
  • 6.15.2
CVE ID(s)CVE-2019-3398


Summary of Vulnerability

This advisory discloses a critical severity security vulnerability which was introduced in version 2.0.0 of Confluence Server and Confluence Data Center. Versions of Confluence Server and Data Center starting with 2.0.0 before 6.6.13 (the fixed version for 6.6.x), from 6.7.0 before 6.12.4 (the fixed version for 6.12.x), from 6.13.0 before 6.13.4 (the fixed version for 6.13.x), from 6.14.0 before 6.14.3 (the fixed version for 6.14.x), and from 6.15.0 before 6.15.2  are affected by this vulnerability. 

Atlassian Cloud instances are not affected by the issue described on this page.

Customers who have upgraded Confluence Server and or Data Center to version 6.6.13 or 6.12.4 or 6.13.4 or 6.14.3 or 6.15.2  are  not affected .

Customers who have downloaded and installed these versions of Confluence Server or Data Center are affected:

  • All 2.x.x versions
  • All 3.x.x versions
  • All 4.x.x versions
  • All 5.x.x versions
  • All 6.0.x versions
  • All 6.1.x versions
  • All 6.2.x versions
  • All 6.3.x versions
  • All 6.4.x versions
  • All 6.5.x versions
  • All 6.6.x versions before 6.6.13
  • All 6.7.x versions
  • All 6.8.x versions
  • All 6.9.x versions
  • All 6.10.x versions
  • All 6.11.x versions
  • All 6.12.x versions before 6.12.4
  • All 6.13.x versions before 6.13.4
  • All 6.14.x versions before 6.14.3
  • All 6.15.x versions before 6.15.2
Please upgrade your Confluence Server or Data Center installations immediately to fix this vulnerability.


Path traversal in the downloadallattachments resource - CVE-2019-3398

Severity 

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate its applicability to your own IT environment.

Description

Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs, or to create a new space or personal space, or who has 'Admin' permissions for a space, can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Confluence Server or Data Center.

All versions of Confluence Server from 2.0.0 before 6.6.13 (the fixed version for 6.6.x), from 6.7.0 before 6.12.4 (the fixed version for 6.12.x), from 6.13.0 before 6.13.4 (the fixed version for 6.13.x), from 6.14.0 before 6.14.3 (the fixed version for 6.14.x), and from 6.15.0 before 6.15.2 are affected by this vulnerability.  This issue can be tracked here:  CONFSERVER-58102 - Getting issue details... STATUS

Acknowledgements

Credit for finding this vulnerability goes to Jānis Krusts of IT Centr. 

Fix

We have taken the following steps to address this issue:

What You Need to Do

Atlassian recommends that you upgrade to the latest version (6.15.2). For a full description of the latest version of Confluence Server and Data Center, see the Release Notes. You can download the latest version of Confluence from the Atlassian website and find our Confluence installation and upgrade guide here.

If you cannot upgrade Confluence Server to version 6.15.2 or higher.

(1) If you have a current feature version (a feature version released on 4th October 2018 or later), upgrade to the next bugfix version of your current feature version.

If you have feature version

then upgrade to bugfix version:

6.12.0, 6.12.1, 6.12.2, 6.12.3

6.12.4

6.13.0, 6.13.1, 6.13.2, 6.13.36.13.4

6.14.0, 6.14.1, 6.14.2

6.14.3

(2) If you have a current enterprise release version (an enterprise release version released on 4th April 2017 or later), upgrade to the latest version of your enterprise release version.

If you have enterprise release version

then upgrade to version:

6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12

6.6.13

6.13.0, 6.13.1, 6.13.2, 6.13.3

6.13.4

(3) If you have an older version (a feature version released before 4th October 2018, or an enterprise release version released before 4th April 2017), either upgrade to the latest version of Confluence Server or Data Center, or to the latest version of an enterprise release version.

Mitigation

If you are unable to upgrade Confluence immediately, then as a temporary workaround, you should block the affected <base-url>/<context-path>/pages/downloadallattachments.action URL. Disabling this URL will prevent anyone downloading all attachments via the attachments page, or the attachments macro. Downloading individual attachments will still work. 

To block the URL directly in Tomcat:

  1. Stop Confluence.
  2. Edit <install-directory>/conf/server.xml.
  3. Add the following inside the <Host>  element:

    <Context path="/pages/downloadallattachments.action" docBase="" >
        <Valapp className="org.apache.catalina.valapps.RemoteAddrValapp" deny="*" />
    </Context>

    If you run Confluence with a context path, for example /wiki, you will need to include your context path in the path, as shown here:

    <Context path="/wiki/pages/downloadallattachments.action" docBase="" >
        <Valapp className="org.apache.catalina.valapps.RemoteAddrValapp" deny="*" />
    </Context>
  4. Save the file, and restart Confluence.

To verify that the workaround was applied correctly:

  1. Navigate to a page or blog that has 2 or more attachments. 
  2. Go to 
    More options
     > Attachments and then click Download all attachments.

You should see a 404 error and no files should be downloaded. 

Support

If you did not receive an email for this advisory and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails.

If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/.

References

Security Bug fix Policy

As per our new policy critical security bug fixes will be back ported in accordance with https://www.atlassian.com/trust/security/bug-fix-policy.  We will release new maintenance releases for the versions covered by the policy instead of binary patches.

Binary patches are no longer released. 

Severity Levels for security issuesAtlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org.
End of Life Policy Our end of life policy varies for different products. Please refer to our EOL Policy for details. 
Last modified on Apr 17, 2019

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.