This page last changed on Nov 14, 2010 by ssaasen.

Security Vulnerability in Confluence Remote API

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low.

Risk Assessment

We have identified and fixed a vulnerability in the Remote API which affects Confluence instances, including publicly available instances. The Remote API allows an attacker to escalate user privileges, excluding the level of system administrator privileges.

Vulnerability

The table below describes the Confluence versions and the specific functionality affected by the RPC vulnerability.

Confluence Feature Affected Confluence Versions Fixed Version Issue Tracking
User Access 2.7 – 3.4 3.4.2 CONF-21162

Risk Mitigation

We recommend that you upgrade your Confluence installation to fix this vulnerability.

We strongly advise that you disable the remote APIs until your Confluence instance is patched or upgraded. If the Remote API is vital, we recommend you disable anonymous access to the remote API.

We also recommend that you read our guidelines on best practices for configuring Confluence security.

Fix

Confluence 3.4.2 fixes this issue. For a full description of this release, see the release notes. You can download Confluence 3.4.2 from the download centre.

If you cannot upgrade to Confluence 3.4.2, you can patch your existing installation using the patch listed below.

Available Patch

If for some reason you cannot upgrade to the latest version of Confluence, you can apply the following patch to fix the vulnerability described in this security advisory.

Vulnerability Patch
Security vulnerability in Confluence Remote API confluence-3.4.2-security-patch-for-2.7-to-3.4.1.zip

Patch Procedure: Install the Patch

A patch is available for Confluence 2.7 – 3.4.1.

The patch addresses the following issue:

  • Security vulnerability in Confluence RPC (CONF-21162).
Applying the patch

If you are using the Standalone distribution of Confluence 2.7 – 3.4.1:

  1. Shut down Confluence.
  2. Make a backup of the <confluence_install_dir>/confluence/ directory.
  3. Download the confluence-3.4.2-security-patch-for-2.7-to-3.4.1.zip file.
  4. Expand the zip file into <confluence_install_dir>/confluence/, overwriting the existing files.
  5. Restart Confluence.
  6. Visit <Confluence base url>/admin/patch342applied.jsp and confirm that it reports: "The Patch for Confluence 3.4.2 has been correctly applied."

If you are using the WAR distribution of Confluence:

  1. Shut down Confluence.
  2. Make a backup of the <confluence_exploded_war>/confluence/ directory.
  3. Download the confluence-3.4.2-security-patch-for-2.7-to-3.4.1.zip file.
  4. Expand the zip file into <confluence_exploded_war>/confluence/, overwriting the existing files.
  5. Run 'build.sh clean' on UNIX, or 'build.bat clean' on Windows.
  6. Run 'build.sh' on UNIX or 'build.bat' on Windows.
  7. Redeploy the Confluence web app into your application server.
  8. Restart Confluence.
  9. Visit <Confluence base url>/admin/patch342applied.jsp and confirm that it reports: "The Patch for Confluence 3.4.2 has been correctly applied."
Document generated by Confluence on Mar 16, 2011 18:29