Confluence セキュリティ勧告 - 2010-11-15

Confluence のセキュリティの概要とアドバイザリ

このページの内容

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

Security Vulnerability in Confluence Remote API

重大度

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low.

Risk Assessment

We have identified and fixed a vulnerability in the Remote API which affects Confluence instances, including publicly available instances. The Remote API allows an attacker to escalate user privileges, excluding the level of system administrator privileges.

Vulnerability

The table below describes the Confluence versions and the specific functionality affected by the RPC vulnerability.

Confluence Feature

影響する Confluence バージョン

Fixed Version

Issue Tracking

User Access

2.7 – 3.4

3.4.2

CONF-21162

Risk Mitigation

We recommend that you upgrade your Confluence installation to fix this vulnerability.

We strongly advise that you disable the remote APIs until your Confluence instance is patched or upgraded. If the Remote API is vital, we recommend you disable anonymous access to the remote API.

We also recommend that you read our guidelines on best practices for configuring Confluence security.

Fix

Confluence 3.4.2 fixes this issue. For a full description of this release, see the release notes. You can download Confluence 3.4.2 from the download centre.

If you cannot upgrade to Confluence 3.4.2, you can patch your existing installation using the patch listed below.

Available Patch

If for some reason you cannot upgrade to the latest version of Confluence, you can apply the following patch to fix the vulnerability described in this security advisory.

Vulnerability

Patch

Security vulnerability in Confluence Remote API

confluence-3.4.2-security-patch-for-2.7-to-3.4.1.zip

Patch Procedure: Install the Patch

A patch is available for Confluence 2.7 – 3.4.1.

The patch addresses the following issue:

  • Security vulnerability in Confluence RPC (CONF-21162).
Applying the patch

If you are using the Confluence 2.7 – 3.4.1 distributions:

  1. Confluence をシャットダウンします。
  2. Make a backup of the <confluence_install_dir>/confluence/ directory.
  3. Download the confluence-3.4.2-security-patch-for-2.7-to-3.4.1.zip file.
  4. Expand the zip file into <confluence_install_dir>/confluence/, overwriting the existing files.
  5. Confluence を再起動します。
  6. Visit <Confluence base url>/admin/patch342applied.jsp and confirm that it reports: "The Patch for Confluence 3.4.2 has been correctly applied."

If you are using the WAR distribution of Confluence:

  1. Confluence をシャットダウンします。
  2. Make a backup of the <confluence_exploded_war>/confluence/ directory.
  3. Download the confluence-3.4.2-security-patch-for-2.7-to-3.4.1.zip file.
  4. Expand the zip file into <confluence_exploded_war>/confluence/, overwriting the existing files.
  5. Run 'build.sh clean' on UNIX, or 'build.bat clean' on Windows.
  6. Run 'build.sh' on UNIX or 'build.bat' on Windows.
  7. Redeploy the Confluence web app into your application server.
  8. Confluence を再起動します。
  9. Visit <Confluence base url>/admin/patch342applied.jsp and confirm that it reports: "The Patch for Confluence 3.4.2 has been correctly applied."
最終更新日 2014 年 8 月 11 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.