Confluence 3.5 : Confluence Security Advisory 2010-10-12
This page last changed on Oct 11, 2010 by smaddox.
This advisory announces a number of security vulnerabilities in earlier versions of Confluence that we have found and fixed in Confluence 3.4. In addition to releasing Confluence 3.4, we also provide patches for the vulnerabilities mentioned below. You will be able to apply these patches to existing installations of Confluence 3.3.3. However, we recommend that you upgrade to Confluence 3.4 to fix these vulnerabilities. In this advisory: XSS VulnerabilitiesSeverityAtlassian rates the severity level of these vulnerabilities as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low. Risk AssessmentWe have identified and fixed a number of cross-site scripting (XSS) vulnerabilities which may affect Confluence instances, including publicly available instances.
You can read more about XSS attacks at cgisecurity, CERT and other places on the web. VulnerabilityThe table below describes the parts of Confluence affected by the XSS vulnerabilities.
Risk MitigationWe recommend that you upgrade your Confluence installation to fix these vulnerabilities. Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can disable public access (such as anonymous access and public signup) to your wiki until you have applied the necessary patch or upgrade. For even tighter control, you could restrict access to trusted groups. We also recommend that you read our guidelines on best practices for configuring Confluence security and using Apache to limit access to the Confluence administration interface. FixConfluence 3.4 fixes these issues. For a full description of this release, see the release notes. You can download Confluence 3.4 from the download centre. If you cannot upgrade to Confluence 3.4, you can patch your existing installation using the patches listed below. Available Patches and Plugin UpgradesIf for some reason you cannot upgrade to Confluence 3.4, you can apply the following patches and plugin upgrades to fix the vulnerabilities described in this security advisory. Step 1 of the Patch Procedure: Install the PatchA patch is available for Confluence 3.3.3. The patch addresses the following issues:
If you are using the Standalone distribution of Confluence:
If you are using the WAR distribution of Confluence:
Step 2 of the Patch Procedure: Upgrade the Affected PluginsSome of the above vulnerabilities exist in plugins and are therefore not included in the patch. To fix these vulnerabilities, you will need to upgrade the affected plugins. You can upgrade the plugins in the normal manner, via the Confluence Plugin Repository. Please refer to the documentation for more details on installing plugins.
|
![]() |
Document generated by Confluence on Mar 16, 2011 18:29 |