Confluence セキュリティ勧告 - 2015-01-21
Note: As of September 2014, we no longer provide binary bug patches. Instead we create new maintenance releases for the major versions we backport to. Please see our Security Bug fix Policy for more details. As this policy is new and in transition, in this instance we have also provided patches for Confluence versions from 4.3.x to 5.6.x
Date of Advisory: 21st January 2015
Product: Atlassian Confluence
脆弱性の概要
This advisory discloses a critical severity security vulnerability that exists in all versions of Confluence up to and including 5.6.
Atlassian Cloud customers are not affected by any of the issues described in this advisory.
- Customers who have downloaded and installed Confluence Server should upgrade their existing Confluence installations to fix this vulnerability.
Atlassian is committed to improving product security. The vulnerability listed in this advisory has been discovered internally by Atlassian.
OGNL Double Evaluation Vulnerability
深刻度
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.
This is an independent assessment and you should evaluate its applicability to your own IT environment.
説明
We have discovered and fixed a vulnerability in our fork of WebWork. Attackers can use this vulnerability to execute Java code of their choice on systems that use this framework. The attacker needs to have an account and be able to access the Confluence web interface.
Confluence 5.6 までのすべてのバージョンは、この脆弱性の影響を受けます。この課題は - CONF-36080課題情報を取得中... ステータスで追跡できます。
Risk Mitigation
If you are unable to upgrade your Confluence server you can do the following as a temporary workaround:
- Block access to your Confluence server web interface from untrusted networks, such as the Internet.
Block at a reverse proxy or a firewall all requests matching the following regular expression pattern in URI parameters.
.*(?:[{(]|%7B|%28).*(?:[})]|%7D|%29).*
修正
Releases 5.5.7, 5.6.6 (and any subsequent newer releases) are available to fix the vulnerability for versions 5.5 and 5.6. You can download these releases from:
If you have migrated from Atlassian Cloud to run Confluence locally and are using a Confluence 5.x-OD-xx-xxx install, you should follow the instructions to apply the security patch or upgrade to Confluence 5.7.
Upgrade (recommended)
The vulnerabilities and fix versions are described in the sections above.
Atlassian recommend that you upgrade to the latest version. For a full description of the latest version of Confluence, see the its release notes.
Patches
As this policy is new and in transition, in this instance we have also provided patches for Confluence versions from 4.3.x to 5.6.x
You should not expect that you can continue patching your system instead of upgrading. Our patches are often non-cumulative – we do not recommend that you apply multiple patches from different advisories on top of each other, but strongly recommend upgrading to the most recent version regularly.
If for some reason you cannot upgrade to the latest version of Confluence, you must apply the patch provided below to fix the vulnerability described in this advisory. It has been tested for all supported versions of Confluence and may work for unsupported versions as well.
Patching supported versions of Confluence 4.3.x - 5.6.x
Download the patch file.
バージョン Patch MD5 4.3.x - 5.6.x webwork-2.1.5-atlassian-3.jar 348ea1f5a0ebd5ab23827d551ef33fce
- Confluence をシャットダウンします。
- Move file
<CONFLUENCE-INSTALL>/confluence/WEB-INF/lib/webwork-X.X.X-atlassian-X.jar
to a location outside the<CONFLUENCE-INSTALL>
folder. - Add the downloaded
webwork-2.1.5-atlassian-3.jar
file to folder<CONFLUENCE-INSTALL>/confluence/WEB-INF/lib/
. Start up Confluence again.
To confirm that you have applied the patch successfully, check the version of the webwork .jar that has been loaded into Confluence as follows.
- Log in as administrator.
- Navigate to
/admin/classpath.action
URL on your instance and search for "/webwork-
". - There should be a single hit:
webwork-2.1.5-atlassian-3.jar
. This confirms that the patch has been correctly applied.
サポート
このアドバイザリに関してご質問や懸念がある場合は、https://support.atlassian.com/ でサポート リクエストを起票してください。
参考
セキュリティ バグの修正ポリシー | As per our new policy, critical security bug fixes will be back ported to major software versions for up to 12 months for Confluence. We will release new maintenance releases for the versions covered by the new policy instead of binary patches. Binary patches will no longer be released. |
セキュリティの問題の重大度レベル | Atlassian security advisories include a severity level. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org. |