We are writing to inform you of several recently discovered security vulnerabilities in Atlassian Confluence. Two of these security vulnerabilities are rated as high; one is rated as medium. None are rated critical. To fix these vulnerabilities, you should follow the instructions in the security advisory below. Enterprise Hosted customers should request an upgrade by raising a support request at
http://support.atlassian.com. JIRA Studio is not vulnerable to any of the issues described in this advisory.
For your convenience, we have included the entire security advisory in this email. To view the online version of this security advisory, please go to
http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2011-05-31.
If you have any questions or concerns about this security vulnerability or about our policy of disclosure of security vulnerabilities, please visit our page on Atlassian Security Policies (
http://confluence.atlassian.com/display/Support/Atlassian+Security+Policies) or raise a support request at
http://support.atlassian.com/.
*** Security Advisory ***
This advisory announces security vulnerabilities that we have found in Confluence and fixed in a recent version of Confluence. We also provide upgraded plugins and patches that you will be able to apply to existing installations of Confluence to fix these vulnerabilities. However, we recommend that you upgrade your complete Confluence installation rather than upgrading only the affected plugins. Enterprise Hosted customers should request an upgrade by raising a support request at
http://support.atlassian.com. JIRA Studio is not vulnerable to the issues described in this advisory.
Atlassian is committed to improving product security. The vulnerabilities listed in this advisory have been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.
*XSS Vulnerabilities*
Severity -- Atlassian rates the severity level of both these vulnerabilities as high, according to the scale published in
http://confluence.atlassian.com/display/DOC/Severity+Levels+for+Security+Issues. The scale allows us to rank the severity as critical, high, medium or low. These vulnerabilities are not critical. This is an independent assessment and you should evaluate its applicability to your own IT environment.
Risk Assessment -- We have identified and fixed cross-site scripting (XSS) vulnerabilities that may affect Confluence instances, including publicly available instances (that is, Internet-facing servers). XSS vulnerabilities allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at cgisecurity.com,
http://projects.webappsec.org/Cross-Site+Scripting and other places on the web.
Vulnerability -- The list below describes the Confluence versions and the specific functionality affected by the XSS vulnerabilities.
1) Vulnerability in Login: affects Confluence 3.5 -- 3.5.2; fixed in Confluence 3.5.3. See tracking issue
http://jira.atlassian.com/browse/CONF-22402.
2) Vulnerability in Settings Editor: affects Confluence 2.7; fixed in Confluence 3.5.3. See tracking issue
http://jira.atlassian.com/browse/CONF-22479.
Our thanks to Marian Ventuneac (
http://www.ventuneac.net/) who reported the vulnerabilities mentioned above. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem.
Risk Mitigation -- We recommend that you upgrade your Confluence installation to fix these vulnerabilities. Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can disable public signup to your wiki until you have applied the necessary patch or upgrade. For even tighter control, you could restrict access to trusted groups.
Fix -- These vulnerabilities (CONF-22402 and CONF-22479) are both fixed in Confluence 3.5.3, and later versions. For a full description of the latest version of Confluence, see the release notes (
http://confluence.atlassian.com/display/DOC/Release+Notes). You can download the latest version of Confluence from the download centre (
http://www.atlassian.com/software/confluence/ConfluenceDownloadCenter.jspa). If you cannot upgrade to the latest version of Confluence, you can temporarily patch your existing installation using the patch listed below. We strongly recommend upgrading and not patching.
Patches -- If you are running Confluence 3.5, we highly recommend that you upgrade to Confluence 3.5.3, or later. If you are running Confluence 3.4, you can apply the following patch to fix the CONF-22479 vulnerability. The CONF-22402 vulnerability does not affect Confluence 3.4.
A patch for the security vulnerability in the Settings Editor is available for Confluence 3.4 – 3.4.9 and is attached to tracking issue CONF-22479. The patch is available at:
https://jira.atlassian.com/secure/attachment/47916/CONF-22479_patch.zip
Applying the patch -- If you are using Confluence 3.4 – 3.4.9:
1) Download the CONF-22479_patch.zip file that is attached to the CONF-22479 (
http://jira.atlassian.com/browse/CONF-22479) issue.
2) Stop Confluence.
3) Make a backup of the <confluence_install_dir> directory.
4) Expand the downloaded zip file into <confluence_install_dir>, overwriting the existing files.
5) Check that the following files were created:
- confluence/WEB-INF/classes/com/atlassian/confluence/core/ConfluenceActionSupport.properties
- confluence/WEB-INF/classes/com/atlassian/confluence/languages/DefaultLocaleManager.class
- confluence/WEB-INF/classes/com/atlassian/confluence/user/actions/EditMySettingsAction.class
6) Restart Confluence.
*XSRF Vulnerability*
Severity -- Atlassian rates the severity level of both this vulnerability as medium, according to the scale published in
http://confluence.atlassian.com/display/DOC/Severity+Levels+for+Security+Issues. The scale allows us to rank the severity as critical, high, medium or low. This vulnerability is not critical. This is an independent assessment and you should evaluate its applicability to your own IT environment.
Risk Assessment -- We have identified and fixed a cross-site request forgery (XSRF) vulnerability that may affect Confluence instances, including publicly available instances (that is, Internet-facing servers). XSRF vulnerabilities allow an attacker to trick users into unintentionally adding bookmarks to Confluence spaces. You can read more about XSRF attacks at
http://www.cgisecurity.com/csrf-faq.html and other places on the web.
Vulnerability -- The Confluence versions and the specific functionality affected by the XSRF vulnerability is described below.
- Vulnerability in Social Bookmarking plugin: affects Confluence 3.0 -- 3.4.9; fixed in Confluence 3.5. See tracking issue
http://jira.atlassian.com/browse/CONF-22565.
Risk Mitigation -- We recommend that you upgrade your Confluence installation to fix these vulnerabilities. Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can disable public signup to your wiki until you have applied the necessary patch or upgrade. For even tighter control, you could restrict access to trusted groups.
Fix -- This vulnerability (CONF-22565) is fixed in Confluence 3.5, and later versions. For a full description of the latest version of Confluence, see the (
http://confluence.atlassian.com/display/DOC/Release+Notes). You can download the latest version of Confluence from the download centre (
http://www.atlassian.com/software/confluence/ConfluenceDownloadCenter.jspa).If you cannot upgrade to the latest version of Confluence, you can temporarily patch your existing installation using the patch listed below. We strongly recommend upgrading and not patching.
Patches -- If you are running Confluence 3.5, the CONF-22565 vulnerability is already fixed, but we highly recommend that you upgrade to the latest version of Confluence. If you are running Confluence 3.4, you can apply the following patch to fix the CONF-22565 vulnerability.
A patch for the security vulnerability in the Social Bookmarking plugin is available for Confluence 3.4 – 3.4.9 and is attached to tracking issue CONF-22565. The patch is available at
https://jira.atlassian.com/secure/attachment/47918/socialbookmarking-1.3.9.jar.
Applying the patch -- If you are using Confluence 3.4 – 3.4.9 use the plugin manager to upgrade the Social Bookmarking plugin to a version equal to or greater than 1.3.9. For details on upgrading Confluence's plugins using the plugin manager, see
http://confluence.atlassian.com/display/CONF34/Upgrading+your+Existing+Plugins.
Securely yours,
Atlassian
