Confluence セキュリティ勧告 - 2019-03-20

Confluence のセキュリティの概要とアドバイザリ

このページの内容

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

March 2019 Confluence Server Advisory - WebDAV and Widget Connector vulnerabilities

要約

March 2019 Confluence Server and Data Center Advisory - WebDAV and Widget Connector vulnerabilities

勧告のリリース日

20 Mar 2019 10:00 AM PDT (Pacific Time, -7 hours)

製品

  • Confluence Server

  • Confluence Data Center

影響バージョン

  • All 1.x.x, 2.x.x, 3.x.x, 4.x.x and 5.x.x versions

  • All 6.0.x, 6.1.x, 6.2.x, 6.3.x, 6.4.x, and 6.5.x versions

  • 6.6.12 よりも前のすべての 6.6.x バージョン

  • All 6.7.x, 6.8.x, 6.9.x, 6.10.x and 6.11.x versions

  • 6.12.3 よりも前のすべての 6.12.x バージョン

  • 6.13.3 よりも前のすべての 6.13.x バージョン

  • 6.14.2 よりも前のすべての 6.14.x バージョン

修正対象バージョン

  • Version 6.6.12 and higher versions of 6.6.x

  • Version 6.12.3 and higher versions of 6.12.x

  • Version 6.13.3 and higher versions of 6.13.x

  • Version 6.14.2 and higher

CVE ID(s)

  • CVE-2019-3395

  • CVE-2019-3396

Summary of vulnerabilities

This advisory discloses two critical severity security vulnerabilities in Confluence Server and Confluence Data Center.

Customers who have upgraded to Confluence Server or Data Center versions 6.6.12, 6.12.3, 6.13.3, 6.14.2 or higher are not affected.

Customers using Confluence Cloud are not affected.

Customers who have downloaded and installed these versions of Confluence Server or Data Center are affected:

  • All 1.x.x, 2.x.x, 3.x.x, 4.x.x and 5.x.x versions

  • All 6.0.x, 6.1.x, 6.2.x, 6.3.x, 6.4.x, and 6.5.x versions

  • 6.6.12 よりも前のすべての 6.6.x バージョン

  • All 6.7.x, 6.8.x, 6.9.x, 6.10.x and 6.11.x versions

  • 6.12.3 よりも前のすべての 6.12.x バージョン

  • 6.13.3 よりも前のすべての 6.13.x バージョン

  • 6.14.2 よりも前のすべての 6.14.x バージョン

Please upgrade your Confluence Server or Data Center installations immediately to fix this vulnerability.

WebDAV vulnerability - CVE-2019-3395

重大度

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

これはアトラシアンの評価であり、お客様自身の IT 環境への適用性を評価する必要があります。

説明

Confluence Server and Data Center versions released before the 18th June 2018 are vulnerable to this issue. A remote attacker is able to exploit a Server-Side Request Forgery (SSRF) vulnerability in the WebDAV plugin to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance.

All versions of Confluence Server and Confluence Data Center before version 6.6.7, from version 6.7.0 before 6.8.5 (the fixed version for 6.8.x), from version 6.9.0 before 6.9.3 (the fixed version for 6.9.x). 

This issue can be tracked here:  CONFSERVER-57971 - Getting issue details... STATUS

謝辞

Credit for finding this vulnerability goes to Shubham Shah from Assetnote (https://assetnote.io) and Orange Tsai from DEVCORE (https://devco.re).

Widget Connector vulnerability - CVE-2019-3396

重大度

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

これはアトラシアンの評価であり、お客様自身の IT 環境への適用性を評価する必要があります。

説明

There was an server-side template injection vulnerability in Confluence Server and Data Center, in the Widget Connector. An attacker is able to exploit this issue to achieve server-side template injection, path traversal and remote code execution on systems that run a vulnerable version of Confluence Server or Data Center.

All versions of Confluence Server and Confluence Data Center before version 6.6.12, from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x) and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x). 

This issue can be tracked here:  CONFSERVER-57974 - Getting issue details... STATUS

謝辞

Credit for finding this vulnerability goes to Daniil Dmitriev (https://twitter.com/ddv_ua).


修正

We have taken the following steps to address these issues:

What you need to do

Atlassian recommends that you upgrade to the latest version (6.15.1). For a full description of the latest version of Confluence Server and Data Center, see the Release Notes. You can download the latest version of Confluence from the Atlassian website.

If you can’t upgrade to the latest version (6.15.1):

(1) If you have a current feature version (a feature version released on 4th October 2018 or later), upgrade to the next bugfix version of your current feature version.

If you have feature version…

…then upgrade to this bugfix version:

6.12.0, 6.12.1, 6.12.2

6.12.3

6.14.0、6.14.1

6.14.2

(2) If you have a current enterprise release version (an enterprise release version released on 4th April 2017 or later), upgrade to the latest version of your enterprise release version.

If you have enterprise release version…

…then upgrade to this version:

6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11

6.6.12

6.13.0, 6.13.1, 6.13.2

6.13.3

(3) If you have an older version (a feature version released before 4th October 2018, or an enterprise release version released before 4th April 2017), either upgrade to the latest version of Confluence Server or Data Center, or to the latest version of an enterprise release version.

If you have older version…

…then upgrade to any of these versions:

1.x.x

2.x.x

3.x.x

4.x.x

5.x.x

6.0.x, 6.1.x, 6.2.x, 6.3.x, 6.4.x, 6.5.x

6.7.x, 6.8.x, 6.9.x, 6.10.x, 6.11.x

6.14.2

6.13.3

6.6.12

問題の軽減策

If you are unable to upgrade Confluence immediately, then as a temporary workaround, you can go to  > Manage apps / add-ons select System, and disable the following system plugins in Confluence:

  • WebDAV plugin
  • ウィジェット コネクタ

If you disable the Widget Connector plugin, the Widget Connector macro will not be available. This macro is used to display content from websites like YouTube, Vimeo, and Twitter. Users will see an 'unknown macro' error. 

If you disable the WebDAV plugin, you will not be able to connect to Confluence using a WebDAV client. Disabling this plugin will also automatically disable the Office Connector plugin, which means Office Connector features such as Import from Word, and Edit in Office will not be available. Note that because WebDAV is not required to edit files from Confluence 6.11 and later, you will still be able to edit files in those versions. 

After upgrading, you will need to manually re-enable:

  • WebDAV plugin
  • ウィジェット コネクタ
  • Office Connector.

サポート

If you did not receive an email for this advisory and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails.

このアドバイザリーに関してご質問や懸念がある場合は、https://support.atlassian.com/ja/ でサポート リクエストを作成してください。

参考

セキュリティ バグ修正ポリシー

Our SLAs and guarantees for bugfixes.

セキュリティの問題の重大度レベル

アトラシアンのセキュリティ勧告には重大度レベルと CVE ID が含まれます。重大度レベルは、それぞれの脆弱性についてアトラシアンが独自に計算した CVSS スコアに基づきます。CVSS は業界標準の脆弱性メトリックです。CVSS の詳細を FIRST.org でご確認ください。

サポート終了ポリシー

Our end of life policy varies for different products. Please refer to the policy for details.

最終更新日 2019 年 4 月 3 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.