Confluence セキュリティ勧告 - 2011-01-18

Confluence のセキュリティの概要とアドバイザリ

このページの内容

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

This advisory announces a number of security vulnerabilities that we have found and fixed in recent versions of Confluence. We also provide patches that you will be able to apply to existing installations of Confluence to fix these vulnerabilities. However, we recommend that you upgrade your Confluence installation rather than applying the patches. Enterprise Hosted customers should request an upgrade by raising a support request at http://support.atlassian.com. JIRA Studio is not vulnerable to any of the issues described in this advisory.

Atlassian is committed to improving product security. The vulnerabilities listed in this advisory have been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.

In this advisory:

XSS Vulnerabilities

深刻度

Atlassian rates the severity level of these vulnerabilities as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low.

Risk Assessment

We have identified and fixed a number of cross-site scripting (XSS) vulnerabilities which may affect Confluence instances, including publicly available instances (that is, internet-facing servers). XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at cgisecurity.com, The Web Application Security Consortium and other places on the web.

Vulnerability

The table below describes the Confluence versions and the specific functionality affected by the XSS vulnerabilities.

Confluence Feature

影響する Confluence バージョン

Issue Tracking

Code macro

2.7 – 3.4

CONF-21098

Attachments macro

3.3 – 3.4

CONF-21099

Bookmarks macro

3.1 – 3.4.3

CONF-21390

Global Reports macro

2.7 – 3.4.3

CONF-21391

最近の更新マクロ

3.0 - 3.4.3

CONF-21392

Pagetree macro

2.7 - 3.4.3

CONF-21393

Create Space Button macro

2.7 - 3.4.3

CONF-21394

Documentation Link macro

2.7 – 3.4.5

CONF-21508

Our thanks to dave b, who reported the vulnerability in the Documentation Link macro. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem.

Risk Mitigation

We recommend that you upgrade your Confluence installation to fix these vulnerabilities.

Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can disable public signup to your wiki until you have applied the necessary patch or upgrade. For even tighter control, you could restrict access to trusted groups.

We also recommend that you read our guidelines on best practices for configuring Confluence security.

修正

Confluence 3.4.6 fixes these issues. For a full description of this release, see the release notes. You can download the latest version of Confluence from the download centre.

Patches

If for some reason you cannot upgrade to the latest version of Confluence, you can apply patches to fix the vulnerabilities described in this security advisory. The patches are attached to the relevant issues, as listed in the table above.

Please note that we have released a number of advisories about Confluence recently. We recommend that you review them and upgrade to the most recent release of the product or apply external security controls if you cannot. Most of the disclosed vulnerabilities are not critical and often present less risk when used in a corporate environment with no access from the Internet.

We usually provide patches only for vulnerabilities of critical severity, as an interim solution until you can upgrade. You should not expect that you can continue patching your system instead of upgrading. Our patches are often non-cumulative – we do not recommend that you apply multiple patches from different advisories on top of each other, but strongly recommend to upgrade to the most recent version regularly.

We recommend patching only when you can neither upgrade nor apply external security controls.

サポート対象バージョン

Confluence Feature

ファイル名

Issue Tracking

Download Security Update

3.4.x

コー​​ド マクロ

atlassian-renderer-6.2.jar

CONF-21098

ダウンロード

3.3.x

コー​​ド マクロ

atlassian-renderer-6.0.6.jar

CONF-21098

ダウンロード

Customers running Confluence 3.4.x:

Please replace the following JAR file with the updated atlassian-renderer-6.2.jar:

CONFLUENCE_INSTALL_DIR/confluence/WEB-INF/lib/atlassian-renderer.jar

Customers running Confluence 3.3.x:

Please replace the following JAR file with the updated atlassian-renderer-6.0.6.jar:

CONFLUENCE_INSTALL_DIR/confluence/WEB-INF/lib/atlassian-renderer.jar

サポート対象バージョン

Confluence Feature

ファイル名

Issue Tracking

Download Security Update

3.4.x

Attachments macro

attachments-table.vm-3.4.x.zip

CONF-21099

ダウンロード

3.3.x

Attachments macro

attachments-table.vm.zip

CONF-21099

ダウンロード

Customers running Confluence 3.4.x:

Please replace the following vm file with the updated attachments-table.vm-3.4.x.zip:

CONFLUENCE_INSTALL_DIR/confluence/pages/includes/attachments-table.vm

 

Customers running Confluence 3.3.x:

Please replace the following vm file with the updated attachments-table.vm:

CONFLUENCE_INSTALL_DIR/confluence/pages/includes/attachments-table.vm

サポート対象バージョン

Confluence Feature

ファイル名

Issue Tracking

Download Security Update

3.4.x, 3.3.x

Bookmarks macro

socialbookmarking-1.3.4.jar

CONF-21390

ダウンロード

Update the .jar file with the fix contained in the file archive (zip). Follow these steps to do so:

  • Browse to CONFLUENCE_INSTALL_DIR/confluence/WEB-INF/classes/com/atlassian/confluence/setup
  • Open the file atlassian-bundled-plugins.zip
  • Decompress the contents into another location
  • Replace the current socialbookmarking.jar with the correct file according to your version.
  • Compress all the jar files into another zip with the same name as the original file (atlassian-bundled-plugins.zip)
  • Please note, make sure you place the files directly inside the zip, not contained inside another folder.

 

サポート対象バージョン

Confluence Feature

ファイル名

Issue Tracking

Download Security Update

3.4.x

グローバル レポート マクロ

confluence-dashboard-macros-3.4.4.jar

CONF-21391

ダウンロード

3.3.x

グローバル レポート マクロ

confluence-dashboard-macros-1.13.1.jar

CONF-21391

ダウンロード

Update the .jar file with the fix contained in the file archive (zip). Follow these steps to do so:

  • Browse to CONFLUENCE_INSTALL_DIR/confluence/WEB-INF/classes/com/atlassian/confluence/setup
  • Open the file atlassian-bundled-plugins.zip
  • Decompress the contents into another location
  • Replace the current confluence-dashboard-macros.jar the correct file according to your version.
  • Compress all the jar files into another zip with the same name as the original file (atlassian-bundled-plugins.zip)
  • Please note, make sure you place the files directly inside the zip, not contained inside another folder.

サポート対象バージョン

Confluence Feature

ファイル名

Issue Tracking

Download Security Update

3.4.x

コー​​ド マクロ

confluence-advanced-macros-1.12.3.jar

CONF-21392

ダウンロード

3.3.x

コー​​ド マクロ

confluence-advanced-macros-1.9.2.jar

CONF-21392

ダウンロード

Update the .jar file with the fix contained in the file archive (zip). Follow these steps to do so:

  • Browse to CONFLUENCE_INSTALL_DIR/confluence/WEB-INF/classes/com/atlassian/confluence/setup
  • Open the file atlassian-bundled-plugins.zip
  • Decompress the contents into another location
  • Replace the current confluence-advanced-macros.jar with the correct file according to your version.
  • Compress all the jar files into another zip with the same name as the original file (atlassian-bundled-plugins.zip)
  • Please note, make sure you place the files directly inside the zip, not contained inside another folder.

サポート対象バージョン

Confluence Feature

ファイル名

Issue Tracking

Download Security Update

3.4.x

Pagetree Macro

pagetree-1.20.jar

CONF-21393

ダウンロード

Update the .jar file with the fix contained in the file archive (zip). Follow these steps to do so:

  • Browse to CONFLUENCE_INSTALL_DIR/confluence/WEB-INF/classes/com/atlassian/confluence/setup
  • Open the file atlassian-bundled-plugins.zip
  • Decompress the contents into another location
  • Replace the current pagetree.jar with the correct file according to your version.
  • Compress all the jar files into another zip with the same name as the original file (atlassian-bundled-plugins.zip)
  • Please note, make sure you place the files directly inside the zip, not contained inside another folder.

サポート対象バージョン

Confluence Feature

ファイル名

Issue Tracking

Download Security Update

3.4.x

Create Space Button macro

confluence-dashboard-macros-3.4.4.jar

CONF-21394

ダウンロード

3.3.x

Create Space Button macro

confluence-dashboard-macros-1.13.1.jar

CONF-21394

ダウンロード

Update the .jar file with the fix contained in the file archive (zip). Follow these steps to do so:

  • Browse to CONFLUENCE_INSTALL_DIR/confluence/WEB-INF/classes/com/atlassian/confluence/setup
  • Open the file atlassian-bundled-plugins.zip
  • Decompress the contents into another location
  • Replace the current confluence-dashboard-macros.jar with the correct file according to your version.
  • Compress all the jar files into another zip with the same name as the original file (atlassian-bundled-plugins.zip)
  • Please note, make sure you place the files directly inside the zip, not contained inside another folder.

サポート対象バージョン

Confluence Feature

ファイル名

Issue Tracking

Download Security Update

3.4.x

Documentation Link macro

confluence-advanced-macros-1.12.3.jar

CONF-21508

ダウンロード

3.3.x

Documentation Link macro

confluence-advanced-macros-1.9.2.jar

CONF-21508

ダウンロード

Update the .jar file with the fix contained in the file archive (zip). Follow these steps to do so:

  • Browse to CONFLUENCE_INSTALL_DIR/confluence/WEB-INF/classes/com/atlassian/confluence/setup
  • Open the file atlassian-bundled-plugins.zip
  • Decompress the contents into another location
  • Replace the current confluence-advanced-macros.jar with the correct file according to your version.
  • Compress all the jar files into another zip with the same name as the original file (atlassian-bundled-plugins.zip)
  • Please note, make sure you place the files directly inside the zip, not contained inside another folder.
最終更新日 2014 年 8 月 11 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.