Confluence 3.5 : Confluence Security Advisory 2010-11-15
This page last changed on Nov 14, 2010 by ssaasen.
Security Vulnerability in Confluence Remote APISeverityAtlassian rates the severity level of this vulnerability as critical, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low. Risk AssessmentWe have identified and fixed a vulnerability in the Remote API which affects Confluence instances, including publicly available instances. The Remote API allows an attacker to escalate user privileges, excluding the level of system administrator privileges. VulnerabilityThe table below describes the Confluence versions and the specific functionality affected by the RPC vulnerability.
Risk MitigationWe recommend that you upgrade your Confluence installation to fix this vulnerability. We strongly advise that you disable the remote APIs until your Confluence instance is patched or upgraded. If the Remote API is vital, we recommend you disable anonymous access to the remote API. We also recommend that you read our guidelines on best practices for configuring Confluence security. FixConfluence 3.4.2 fixes this issue. For a full description of this release, see the release notes. You can download Confluence 3.4.2 from the download centre. If you cannot upgrade to Confluence 3.4.2, you can patch your existing installation using the patch listed below. Available PatchIf for some reason you cannot upgrade to the latest version of Confluence, you can apply the following patch to fix the vulnerability described in this security advisory.
Patch Procedure: Install the PatchA patch is available for Confluence 2.7 – 3.4.1. The patch addresses the following issue:
Applying the patchIf you are using the Standalone distribution of Confluence 2.7 – 3.4.1:
If you are using the WAR distribution of Confluence:
|
![]() |
Document generated by Confluence on Mar 16, 2011 18:29 |