Confluence Security Advisory 2010-09-21
This advisory announces a number of security vulnerabilities in earlier versions of Confluence that we have found and fixed in Confluence 3.3.3. We recommend that you upgrade to Confluence 3.3.3 to fix these vulnerabilities.
In this advisory:
Path Traversal Vulnerability in Various Confluence Actions
Severity
Atlassian rates this vulnerability as critical, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low.
Risk Assessment
We have identified and fixed a path traversal vulnerability in various Confluence actions. By exploiting a path traversal vulnerability, attackers may be able to retrieve any file on the server that is running Confluence, based on the permissions of the user under which Confluence is running. Path traversal attacks are also called 'directory traversal' or 'dot-dot-slash' (../) attacks.
The degree to which a Confluence instance is vulnerable depends on a number of factors in the implementation of the instance. See the mitigation strategies below, for details of how you can reduce your vulnerability.
You can read more about path traversal attacks at Open Web Application Security Project (OWASP) and other places on the web.
Vulnerability
The path traversal vulnerability exists in various Confluence actions, in all versions of Confluence up to and including 3.3.1.
See CONF-20668 for issue tracking.
Risk Mitigation
We recommend that you upgrade your Confluence installation to fix this vulnerability.
Alternatively, if you are not in a position to upgrade immediately, please consider the following mitigation strategies:
- Make sure that you do not start Confluence from the root directory when starting Confluence automatically. Instead, start it from a reduced-scope directory such as the {
Confluence-installation}/bin
directory. - Upgrade your Tomcat version to 6.0.26 or later. This is relevant if you are using a WAR distribution of Confluence in your own Tomcat server.
- If you are running Confluence under UNIX, you should run Confluence inside a
chroot
jail. See Best Practices for UNIX chroot() Operations from Steve Friedl. - In addition, please refer to our guidelines on Tomcat security best practices. (This is a JIRA document but the principles apply to Confluence.) In particular, you should restrict the file access of the username under which Confluence is running.
Fix
Confluence 3.3.3 fixes this issue. See the release notes. You can download Confluence 3.3.3 from the download centre.
If you cannot upgrade to Confluence 3.3.3, you can patch your existing installation using the patches listed below.
Our thanks to Warren Leung of UCLA, who reported this vulnerability. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem.
Configuration of Office Connector Temporary Storage Location
Severity
Atlassian rates this vulnerability as high, according to the scale published in Severity Levels for Security Issues.
Risk Assessment
Earlier versions of Confluence allow the administrator to set the temporary storage location for the View File macro, part of the Office Connector. Provided an attacker has gained administrative access to the system in some way, they could then exploit this vulnerability to save malicious files onto the file system.
Vulnerability
This vulnerability exists in the Office Connector configuration, made available to Confluence administrators via the Confluence Administration Console and the related Confluence action.
This vulnerability affects versions of Confluence from 2.8 up to and including 3.3.1, where the Office Connector is installed. Please note that the Office Connector is bundled in Confluence 2.10 and later.
See CONF-20669 for issue tracking.
Risk Mitigation
We recommend that you upgrade your Confluence installation to fix this vulnerability.
Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can choose one of the following mitigration strategies:
- Disable the Office Connector plugin. You can disable plugins via the Confluence Administration Console. See our documentation on installing and configuring plugins.
- Disable public access (such as anonymous access and public signup) to your wiki until you have applied the necessary upgrade. For even tighter control, you could restrict access to trusted groups.
In addition, please refer to our guidelines on best practices for configuring Confluence security.
Fix
Confluence 3.3.3 fixes this issue. Administrators must edit a properties file to configure the path. See the release notes for more information. You can download Confluence 3.3.3 from the download centre.
If you cannot upgrade to Confluence 3.3.3, you can patch your existing installation using the patches listed below.
XSS Vulnerability in the Office Connector
Severity
Atlassian rates the severity level of this vulnerability as high, according to the scale published in Severity Levels for Security Issues.
Risk Assessment
We have identified and fixed a cross-site scripting (XSS) vulnerability which may affect Confluence instances, including publicly available instances.
- An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's own web server.
- XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. An attacker's text and script might be displayed to other people viewing the page. This is potentially damaging to your company's reputation.
You can read more about XSS attacks at cgisecurity, CERT and other places on the web.
Vulnerability
The XSS vulnerability is exposed in the document import function of the Confluence Office Connector.
This vulnerability exists in Confluence 3.3.1 only, where the Office Connector is enabled. Please note that the Office Connector is bundled in Confluence.
See CONF-20670 for issue tracking.
Risk Mitigation
We recommend that you upgrade your Confluence installation to fix this vulnerability.
Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can disable the Office Connector plugin. You can disable plugins via the Confluence Administration Console. See our documentation on installing and configuring plugins.
In addition, please refer to our guidelines on best practices for configuring Confluence security. In particular, please read our guidelines on using Apache to limit access to the Confluence administration interface.
Fix
Confluence 3.3.3 fixes this issue. See the release notes. You can download Confluence 3.3.3 from the download centre.
XSRF Vulnerability in Confluence Mail Page Plugin
Severity
Atlassian rates the severity level of this vulnerability as high, according to the scale published in Severity Levels for Security Issues.
Risk Assessment
We have identified and fixed a cross-site request forgery (XSRF) vulnerability which may affect Confluence instances, including publicly available instances.
An attacker might take advantage of the vulnerability to trick users into emailing the contents of restricted pages to an arbitrary address without their knowledge. An XSRF attack works by exploiting the trust that a site has for the user. If a user is logged in to Confluence and an attacker tricks their browser into making a request to a Confluence URL, then the task is performed as the logged in user.
You can read more about XSRF attacks at cgisecurity and other places on the web.
Vulnerability
The XSRF vulnerability is exposed in the Confluence Mail Page plugin.
This vulnerability exists in versions of Confluence from 2.4 up to and including 3.3.1, where the Mail Page plugin is enabled. Note that the Mail Page plugin is disabled by default. If you do not have this plugin enabled, your site will not be affected.
See CONF-20671 for issue tracking.
Risk Mitigation
We recommend that you upgrade your Confluence installation, or install the updated Confluence Mail Page plugin into your Confluence installation to fix this vulnerability.
Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can disable the Confluence Mail Page plugin. (Note that the plugin is disabled by default).
Fix
Confluence 3.3.3 fixes this issue. See the release notes. You can download Confluence 3.3.3 from the download centre.
The latest version (v1.12) of the Confluence Mail Page plugin also fixes this issue. You can download the plugin from the Atlassian Marketplace. Please refer to the documentation for instructions on installing plugins.
Available Patches and Plugin Upgrades
If for some reason you cannot upgrade to Confluence 3.3.3, you can apply the following patches and plugin upgrades to fix the vulnerabilities described in this security advisory.
Step 1 of the Patch Procedure: Install the Patch
A patch is available for Confluence 3.2.1. (That is, the Confluence 3.2.1_01 distribution.) If you have Confluence 3.2.0, you need to upgrade to Confluence 3.2.1 before applying the patch.
The patch addresses the following issue:
- Path traversal vulnerability (CONF-20668).
Applying the patch
If you are using the Confluence 3.2.1 distribution:
- Shut down Confluence.
- Make a backup of the
<confluence_install_dir>/confluence/
directory. - Download the confluence-3.2.1-to-3.3.2-security-patch.zip file.
- Expand the zip file into
<confluence_install_dir>/confluence/
, overwriting the existing files. - Restart Confluence.
If you are using the WAR distribution of Confluence:
- Shut down Confluence.
- Make a backup of the
<confluence_exploded_war>/confluence/ directory
. - Download the confluence-3.2.1-to-3.3.2-security-patch.zip file.
- Expand the zip file into
<confluence_exploded_war>/confluence/
, overwriting the existing files. - Run '
build.sh clean
' on UNIX, or 'build.bat clean
' on Windows. - Run '
build.sh
' on UNIX or 'build.bat
' on Windows. - Redeploy the Confluence web app into your application server.
- Restart Confluence.
Step 2 of the Patch Procedure: Update your Plugins
Some of the above vulnerabilities exist in plugins and are therefore not included in the patch. To fix these vulnerabilities, you will need to update the affected plugin to get the fixed version. You can update the plugins in the normal manner, via the Universal Plugin Manager. Please refer to the documentation for more details on installing plugins.
- Install the latest version (v1.12) of the Mail Page plugin.
- Install version 1.7.1 of the Office Connector plugin.