Confluence 4.0 : Confluence Security Advisory 2011-05-31
This page last changed on Jun 02, 2011 by vosipov.
This advisory announces security vulnerabilities that we have found in Confluence and fixed in a recent version of Confluence. We also provide upgraded plugins and patches that you will be able to apply to existing installations of Confluence to fix these vulnerabilities. However, we recommend that you upgrade your complete Confluence installation rather than upgrading only the affected plugins. Enterprise Hosted customers should request an upgrade by raising a support request at http://support.atlassian.com. JIRA Studio is not vulnerable to the issues described in this advisory. Atlassian is committed to improving product security. The vulnerabilities listed in this advisory have been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them. In this advisory: XSS VulnerabilitiesSeverityAtlassian rates the severity level of both these vulnerabilities as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, medium or low. Risk AssessmentWe have identified and fixed cross-site scripting (XSS) vulnerabilities that may affect Confluence instances, including publicly available instances (that is, Internet-facing servers). XSS vulnerabilities allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at cgisecurity.com, The Web Application Security Consortium and other places on the web. VulnerabilityThe table below describes the Confluence versions and the specific functionality affected by the XSS vulnerabilities.
Our thanks to Marian Ventuneac (http://www.ventuneac.net) who reported the vulnerabilities mentioned above. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem. Risk MitigationWe recommend that you upgrade your Confluence installation to fix these vulnerabilities. Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can disable public signup to your wiki until you have applied the necessary patch or upgrade. For even tighter control, you could restrict access to trusted groups. We also recommend that you read our guidelines on best practices for configuring Confluence security. FixThese vulnerabilities (CONF-22402 and CONF-22479) are both fixed in Confluence 3.5.3, and later versions. If you cannot upgrade to the latest version of Confluence, you can temporarily patch your existing installation using the patch listed below. We strongly recommend upgrading and not patching.
PatchesIf you are running Confluence 3.5, we highly recommend that you upgrade to Confluence 3.5.3, or later.
Patch Procedure: Install the PatchA patch is available for Confluence 3.4 – 3.4.9. The patch addresses the following issue: Security vulnerability in Confluence User Preferences (CONF-22479). Applying the patchIf you are using Confluence 3.4 – 3.4.9:
XSRF VulnerabilitySeverityAtlassian rates the severity level of both this vulnerability as medium, according to the scale published in Severity Levels for Security Issues for Security Issues. The scale allows us to rank the severity as critical, high, medium or low. Risk AssessmentWe have identified and fixed a cross-site request forgery (XSRF) vulnerability that may affect Confluence instances, including publicly available instances (that is, Internet-facing servers). XSRF vulnerabilities allow an attacker to trick users into unintentionally adding bookmarks to Confluence spaces. You can read more about XSRF attacks at http://www.cgisecurity.com/csrf-faq.html and other places on the web. VulnerabilityThe table below describes the Confluence versions and the specific functionality affected by the XSRF vulnerability.
Risk MitigationWe recommend that you upgrade your Confluence installation to fix these vulnerabilities. Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can disable public signup to your wiki until you have applied the necessary patch or upgrade. For even tighter control, you could restrict access to trusted groups. We also recommend that you read our guidelines on best practices for configuring Confluence security for configuring Confluence security. FixThis vulnerability (CONF-22565) is fixed in Confluence 3.5, and later versions. If you cannot upgrade to the latest version of Confluence, you can temporarily patch your existing installation using the patch listed below. We strongly recommend upgrading and not patching.
PatchesIf you are running Confluence 3.5, the CONF-22565 vulnerability is already fixed, but we highly recommend that you upgrade to the latest version of Confluence. For details on upgrading Confluence's plugins using the plugin manager, see:
Patch Procedure: Install the PatchA patch is available for Confluence 3.4 – 3.4.9. The patch addresses the following issue:
Applying the patchIf you are using Confluence 3.4 – 3.4.9, use the plugin manager to upgrade the Social Bookmarking plugin to a version equal to or greater than that specified in the file name above. |
![]() |
Document generated by Confluence on Sep 19, 2011 02:40 |