Dear customers,
We are writing to inform you of a newly-discovered security vulnerability in Confluence. This security vulnerability has a severity level of critical and exists in all versions of Confluence up to and including 4.1.7.
* Customers who have downloaded and installed Confluence should upgrade their existing Confluence installations to fix this vulnerability.
* Enterprise Hosted customers need to request an upgrade by raising a support request at
http://support.atlassian.com in the "Enterprise Hosting Support" project.
* JIRA Studio and Atlassian OnDemand customers are not affected by any of the issues described in this advisory.
Atlassian is committed to improving product security. The vulnerability listed in this advisory has been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.
For your convenience, we have included the entire security advisory in this email. To view the online version of this security advisory, please go to
http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-05-17.
If you have questions or concerns regarding this advisory, please raise a support request at
http://support.atlassian.com/.
*** Security Advisory ***
*Critical XML Parsing Vulnerability*
Severity -- Atlassian rates the severity level of this vulnerability as critical, according to the scale published in Severity Levels for Security Issues:
http://confluence.atlassian.com/display/DOC/Severity+Levels+for+Security+Issues. The scale allows us to rank the severity as critical, high, moderate or low. This is an independent assessment and you should evaluate its applicability to your own IT environment.
Description -- We have identified and fixed a vulnerability in Confluence that results from the way third-party XML parsers are used in Confluence. This vulnerability allows an attacker to:
* execute denial of service attacks against the Confluence server, or
* read all local files readable to the system user under which Confluence runs.
The attacker does not need to have an account with the affected Confluence instance.
All versions of Confluence up to and including 4.1.7 are affected by this vulnerability. This issue can be tracked here:
https://jira.atlassian.com/browse/CONF-25077
The Gliffy for Confluence plugin is also vulnerable to this exploit. If you are using the Gliffy plugin for Confluence with any version of Confluence, you will need to upgrade it (see 'Fix' section below) or disable it.
Risk Mitigation -- We recommend that you upgrade your Confluence installation to fix this vulnerability. Alternatively, if you are not in a position to upgrade, you should do all of the following until you can upgrade. Please note, these measures will only limit the impact of the vulnerability, they will not mitigate it completely.
* Disable access to the SOAP and XML-RPC APIs, if these remote APIs are not required. Note, remote API access is disabled by default. See
http://confluence.atlassian.com/display/DOC/Enabling+the+Remote+API for instructions.
* Disable the following plugins/plugin modules (see
http://confluence.atlassian.com/display/DOC/Disabling+or+Enabling+a+Plugin):
** Office Connector plugin
** JUnitReport macro module of the confluence-advanced-macros plugin
** confluence-jira3-macros plugin
** WebDAV
* Disable public access (such as anonymous access and public signup) to Confluence until you have upgraded.
* Ensure that your Confluence system user is restricted as described in best practices for configuring Confluence security.
Fix
* Upgrade --
1. Upgrade to Confluence 4.2 or later which fixes this vulnerability. For a full description of this release, see the
http://confluence.atlassian.com/display/DOC/Confluence+4.2+Release+Notes. The following releases have also been made available to fix these issues in older Confluence versions. You can download these versions of Confluence from the download centre:
http://www.atlassian.com/software/confluence/ConfluenceDownloadCenter.jspa
** Confluence 4.1.10 for Confluence 4.1
** Confluence 4.0.7 for Confluence 4.0
** Confluence 3.5.16 for Confluence 3.5
2. Upgrade the following Confluence third-party plugins, if you are using them. The list below describes which version of the plugin you should upgrade to, depending on your Confluence version. See
http://confluence.atlassian.com/display/DOC/Upgrading+your+Existing+Plugins for instructions on how to upgrade a plugin.
** Confluence 4.2 -- Gliffy plugin for Confluence 4.2
** Confluence 4.1 -- Gliffy plugin for Confluence 4.2
** Confluence 4.0 -- Gliffy plugin for Confluence 4.2
** Confluence 3.5 -- Gliffy plugin for Confluence 4.2
* Patches -- There are no patches available for this vulnerability. Due to the extent of the changes required to fix the vulnerability, it is not possible to provide patches that resolve the issue without compromising the reliability of Confluence. You must upgrade to fix this vulnerability.
Securely yours,
Atlassian