Confluence 3.5 : Confluence Security Advisory 2010-09-21
This page last changed on Oct 11, 2010 by alui.
This advisory announces a number of security vulnerabilities in earlier versions of Confluence that we have found and fixed in Confluence 3.3.3. We recommend that you upgrade to Confluence 3.3.3 to fix these vulnerabilities. In this advisory: Path Traversal Vulnerability in Various Confluence ActionsSeverityAtlassian rates this vulnerability as critical, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low. Risk AssessmentWe have identified and fixed a path traversal vulnerability in various Confluence actions. By exploiting a path traversal vulnerability, attackers may be able to retrieve any file on the server that is running Confluence, based on the permissions of the user under which Confluence is running. Path traversal attacks are also called 'directory traversal' or 'dot-dot-slash' (../) attacks. The degree to which a Confluence instance is vulnerable depends on a number of factors in the implementation of the instance. See the mitigation strategies below, for details of how you can reduce your vulnerability. You can read more about path traversal attacks at Open Web Application Security Project (OWASP) and other places on the web. VulnerabilityThe path traversal vulnerability exists in various Confluence actions, in all versions of Confluence up to and including 3.3.1. See CONF-20668 for issue tracking. Risk MitigationWe recommend that you upgrade your Confluence installation to fix this vulnerability. Alternatively, if you are not in a position to upgrade immediately, please consider the following mitigation strategies:
FixConfluence 3.3.3 fixes this issue. See the release notes. You can download Confluence 3.3.3 from the download centre. If you cannot upgrade to Confluence 3.3.3, you can patch your existing installation using the patches listed below. Our thanks to Warren Leung of UCLA, who reported this vulnerability. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem. Configuration of Office Connector Temporary Storage LocationSeverityAtlassian rates this vulnerability as high, according to the scale published in Severity Levels for Security Issues. Risk AssessmentEarlier versions of Confluence allow the administrator to set the temporary storage location for the View File macro, part of the Office Connector. Provided an attacker has gained administrative access to the system in some way, they could then exploit this vulnerability to save malicious files onto the file system. VulnerabilityThis vulnerability exists in the Office Connector configuration, made available to Confluence administrators via the Confluence Administration Console and the related Confluence action. This vulnerability affects versions of Confluence from 2.8 up to and including 3.3.1, where the Office Connector is installed. Please note that the Office Connector is bundled in Confluence 2.10 and later. See CONF-20669 for issue tracking. Risk MitigationWe recommend that you upgrade your Confluence installation to fix this vulnerability. Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can choose one of the following mitigration strategies:
In addition, please refer to our guidelines on best practices for configuring Confluence security. FixConfluence 3.3.3 fixes this issue. Administrators must edit a properties file to configure the path. See the release notes for more information. You can download Confluence 3.3.3 from the download centre. If you cannot upgrade to Confluence 3.3.3, you can patch your existing installation using the patches listed below. XSS Vulnerability in the Office ConnectorSeverityAtlassian rates the severity level of this vulnerability as high, according to the scale published in Severity Levels for Security Issues. Risk AssessmentWe have identified and fixed a cross-site scripting (XSS) vulnerability which may affect Confluence instances, including publicly available instances.
You can read more about XSS attacks at cgisecurity, CERT and other places on the web. VulnerabilityThe XSS vulnerability is exposed in the document import function of the Confluence Office Connector. This vulnerability exists in Confluence 3.3.1 only, where the Office Connector is enabled. Please note that the Office Connector is bundled in Confluence. See CONF-20670 for issue tracking. Risk MitigationWe recommend that you upgrade your Confluence installation to fix this vulnerability. Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can disable the Office Connector plugin. You can disable plugins via the Confluence Administration Console. See our documentation on installing and configuring plugins. In addition, please refer to our guidelines on best practices for configuring Confluence security. In particular, please read our guidelines on using Apache to limit access to the Confluence administration interface. FixConfluence 3.3.3 fixes this issue. See the release notes. You can download Confluence 3.3.3 from the download centre. XSRF Vulnerability in Confluence Mail Page PluginSeverityAtlassian rates the severity level of this vulnerability as high, according to the scale published in Severity Levels for Security Issues. Risk AssessmentWe have identified and fixed a cross-site request forgery (XSRF) vulnerability which may affect Confluence instances, including publicly available instances. An attacker might take advantage of the vulnerability to trick users into emailing the contents of restricted pages to an arbitrary address without their knowledge. An XSRF attack works by exploiting the trust that a site has for the user. If a user is logged in to Confluence and an attacker tricks their browser into making a request to a Confluence URL, then the task is performed as the logged in user. You can read more about XSRF attacks at cgisecurity and other places on the web. VulnerabilityThe XSRF vulnerability is exposed in the Confluence Mail Page plugin. This vulnerability exists in versions of Confluence from 2.4 up to and including 3.3.1, where the Mail Page plugin is enabled. Note that the Mail Page plugin is disabled by default. If you do not have this plugin enabled, your site will not be affected. See CONF-20671 for issue tracking. Risk MitigationWe recommend that you upgrade your Confluence installation, or install the updated Confluence Mail Page plugin into your Confluence installation to fix this vulnerability. Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can disable the Confluence Mail Page plugin. (Note that the plugin is disabled by default). FixConfluence 3.3.3 fixes this issue. See the release notes. You can download Confluence 3.3.3 from the download centre. The latest version (v1.12) of the Confluence Mail Page plugin also fixes this issue. You can download the plugin from the Atlassian Plugin Exchange. Please refer to the documentation for instructions on installing plugins. Available Patches and Plugin UpgradesIf for some reason you cannot upgrade to Confluence 3.3.3, you can apply the following patches and plugin upgrades to fix the vulnerabilities described in this security advisory. Step 1 of the Patch Procedure: Install the PatchA patch is available for Confluence 3.2.1. (That is, the Confluence 3.2.1_01 distribution.) If you have Confluence 3.2.0, you need to upgrade to Confluence 3.2.1 before applying the patch. The patch addresses the following issue:
Applying the patchIf you are using the Standalone distribution of Confluence 3.2.1:
If you are using the WAR distribution of Confluence:
Step 2 of the Patch Procedure: Upgrade your PluginsSome of the above vulnerabilities exist in plugins and are therefore not included in the patch. To fix these vulnerabilities, you will need to upgrade the affected plugin to get the fixed version. You can upgrade the plugins in the normal manner, via the Confluence Plugin Repository. Please refer to the documentation for more details on installing plugins.
|
![]() |
Document generated by Confluence on Mar 16, 2011 18:29 |