Confluence セキュリティ勧告 - 2010-09-21
This advisory announces a number of security vulnerabilities in earlier versions of Confluence that we have found and fixed in Confluence 3.3.3. We recommend that you upgrade to Confluence 3.3.3 to fix these vulnerabilities.
In this advisory:
Path Traversal Vulnerability in Various Confluence Actions
深刻度
アトラシアンは「セキュリティ問題の重大度レベル」に掲載されている尺度に従って、この脆弱性を重大と判断しています。脆弱性は尺度に従い、重大、高度、中度、低度として評価されます。
Risk Assessment
We have identified and fixed a path traversal vulnerability in various Confluence actions. By exploiting a path traversal vulnerability, attackers may be able to retrieve any file on the server that is running Confluence, based on the permissions of the user under which Confluence is running. Path traversal attacks are also called 'directory traversal' or 'dot-dot-slash' (../) attacks.
The degree to which a Confluence instance is vulnerable depends on a number of factors in the implementation of the instance. See the mitigation strategies below, for details of how you can reduce your vulnerability.
You can read more about path traversal attacks at Open Web Application Security Project (OWASP) and other places on the web.
Vulnerability
The path traversal vulnerability exists in various Confluence actions, in all versions of Confluence up to and including 3.3.1.
See CONF-20668 for issue tracking.
Risk Mitigation
この脆弱性を解決するために、Confluence インストールをアップグレードすることをお勧めします。
Alternatively, if you are not in a position to upgrade immediately, please consider the following mitigation strategies:
- Make sure that you do not start Confluence from the root directory when starting Confluence automatically. Instead, start it from a reduced-scope directory such as the {
Confluence-installation}/bin
directory. - Upgrade your Tomcat version to 6.0.26 or later. This is relevant if you are using a WAR distribution of Confluence in your own Tomcat server.
- If you are running Confluence under UNIX, you should run Confluence inside a
chroot
jail. See Best Practices for UNIX chroot() Operations from Steve Friedl. - In addition, please refer to our guidelines on Tomcat security best practices. (This is a JIRA document but the principles apply to Confluence.) In particular, you should restrict the file access of the username under which Confluence is running.
修正
Confluence 3.3.3 fixes this issue. See the release notes. You can download Confluence 3.3.3 from the download centre.
If you cannot upgrade to Confluence 3.3.3, you can patch your existing installation using the patches listed below.
Our thanks to Warren Leung of UCLA, who reported this vulnerability. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem.
Configuration of Office Connector Temporary Storage Location
深刻度
Atlassian rates this vulnerability as high, according to the scale published in Severity Levels for Security Issues.
Risk Assessment
Earlier versions of Confluence allow the administrator to set the temporary storage location for the View File macro, part of the Office Connector. Provided an attacker has gained administrative access to the system in some way, they could then exploit this vulnerability to save malicious files onto the file system.
Vulnerability
This vulnerability exists in the Office Connector configuration, made available to Confluence administrators via the Confluence Administration Console and the related Confluence action.
This vulnerability affects versions of Confluence from 2.8 up to and including 3.3.1, where the Office Connector is installed. Please note that the Office Connector is bundled in Confluence 2.10 and later.
See CONF-20669 for issue tracking.
Risk Mitigation
この脆弱性を解決するために、Confluence インストールをアップグレードすることをお勧めします。
Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can choose one of the following mitigration strategies:
- Disable the Office Connector plugin. You can disable plugins via the Confluence Administration Console. See our documentation on installing and configuring plugins.
- Disable public access (such as anonymous access and public signup) to your wiki until you have applied the necessary upgrade. For even tighter control, you could restrict access to trusted groups.
In addition, please refer to our guidelines on best practices for configuring Confluence security.
修正
Confluence 3.3.3 fixes this issue. Administrators must edit a properties file to configure the path. See the release notes for more information. You can download Confluence 3.3.3 from the download centre.
If you cannot upgrade to Confluence 3.3.3, you can patch your existing installation using the patches listed below.
XSS Vulnerability in the Office Connector
深刻度
Atlassian rates the severity level of this vulnerability as high, according to the scale published in Severity Levels for Security Issues.
Risk Assessment
We have identified and fixed a cross-site scripting (XSS) vulnerability which may affect Confluence instances, including publicly available instances.
- 攻撃者は、この脆弱性を利用して他のユーザーのセッション クッキーやその他の資格情報を盗み、その資格情報を攻撃者自身の Web サーバーに送り返す可能性があります。
- これらの XSS 脆弱性によって、攻撃者が独自の JavaScript を Confluence ページに埋め込めるようになる可能性があります。攻撃者のテキストとスクリプトが、このページを表示している他のユーザーに表示される可能性があります。これによって、貴社の評判が損なわれる可能性があります。
You can read more about XSS attacks at cgisecurity, CERT and other places on the web.
Vulnerability
The XSS vulnerability is exposed in the document import function of the Confluence Office Connector.
This vulnerability exists in Confluence 3.3.1 only, where the Office Connector is enabled. Please note that the Office Connector is bundled in Confluence.
See CONF-20670 for issue tracking.
Risk Mitigation
この脆弱性を解決するために、Confluence インストールをアップグレードすることをお勧めします。
Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can disable the Office Connector plugin. You can disable plugins via the Confluence Administration Console. See our documentation on installing and configuring plugins.
「Confluence セキュリティを設定するためのベスト プラクティス」のガイドラインもご参照ください。特に「Confluence 管理インターフェイスへのアクセスを制限するための Apache の使用」のガイドラインは必ずご確認ください。
修正
Confluence 3.3.3 fixes this issue. See the release notes. You can download Confluence 3.3.3 from the download centre.
XSRF Vulnerability in Confluence Mail Page Plugin
深刻度
Atlassian rates the severity level of this vulnerability as high, according to the scale published in Severity Levels for Security Issues.
Risk Assessment
We have identified and fixed a cross-site request forgery (XSRF) vulnerability which may affect Confluence instances, including publicly available instances.
An attacker might take advantage of the vulnerability to trick users into emailing the contents of restricted pages to an arbitrary address without their knowledge. An XSRF attack works by exploiting the trust that a site has for the user. If a user is logged in to Confluence and an attacker tricks their browser into making a request to a Confluence URL, then the task is performed as the logged in user.
You can read more about XSRF attacks at cgisecurity and other places on the web.
Vulnerability
The XSRF vulnerability is exposed in the Confluence Mail Page plugin.
This vulnerability exists in versions of Confluence from 2.4 up to and including 3.3.1, where the Mail Page plugin is enabled. Note that the Mail Page plugin is disabled by default. If you do not have this plugin enabled, your site will not be affected.
See CONF-20671 for issue tracking.
Risk Mitigation
We recommend that you upgrade your Confluence installation, or install the updated Confluence Mail Page plugin into your Confluence installation to fix this vulnerability.
Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can disable the Confluence Mail Page plugin. (Note that the plugin is disabled by default).
修正
Confluence 3.3.3 fixes this issue. See the release notes. You can download Confluence 3.3.3 from the download centre.
The latest version (v1.12) of the Confluence Mail Page plugin also fixes this issue. You can download the plugin from the Atlassian Marketplace. Please refer to the documentation for instructions on installing plugins.
利用可能なパッチとプラグインのアップグレード
If for some reason you cannot upgrade to Confluence 3.3.3, you can apply the following patches and plugin upgrades to fix the vulnerabilities described in this security advisory.
パッチの手順のステップ 1: パッチをインストールする
A patch is available for Confluence 3.2.1. (That is, the Confluence 3.2.1_01 distribution.) If you have Confluence 3.2.0, you need to upgrade to Confluence 3.2.1 before applying the patch.
The patch addresses the following issue:
- Path traversal vulnerability (CONF-20668).
Applying the patch
If you are using the Confluence 3.2.1 distribution:
- Confluence をシャットダウンします。
- Make a backup of the
<confluence_install_dir>/confluence/
directory. - Download the confluence-3.2.1-to-3.3.2-security-patch.zip file.
- zip ファイルを
<confluence_install_dir>/confluence/
に展開して、既存のファイルを上書きします。 - Confluence を再起動します。
Confluence の WAR ディストリビューションを使用している場合は、次の手順に従います。
- Confluence をシャットダウンします。
- Make a backup of the
<confluence_exploded_war>/confluence/ directory
. - Download the confluence-3.2.1-to-3.3.2-security-patch.zip file.
- zip ファイルを
<confluence_exploded_war>/confluence/
に展開して、既存のファイルを上書きします。 - UNIX では「
build.sh clean
」、Windows では「build.bat clean
」を実行します。 - UNIX では
build.sh
、Windows ではbuild.bat
を実行します。 - Confluence Web アプリをアプリケーション サーバーに再デプロイします。
- Confluence を再起動します。
Step 2 of the Patch Procedure: Update your Plugins
Some of the above vulnerabilities exist in plugins and are therefore not included in the patch. To fix these vulnerabilities, you will need to update the affected plugin to get the fixed version. You can update the plugins in the normal manner, via the Universal Plugin Manager. Please refer to the documentation for more details on installing plugins.
- Install the latest version (v1.12) of the Mail Page plugin.
- Install version 1.7.1 of the Office Connector plugin.