In this advisory:

HTTP ヘッダー インジェクションの欠陥

深刻度

Atlassian rates this vulnerability as high, according to the scale published in Confluence Security. The scale allows us to rank a vulnerability as critical, high, moderate or low.
An Advanced Warning of this Security Advisory published last week stated the severity of this vulnerability as critical. After further assessing the likelihood of attack, however, we have amended this to high.

Risk Assessment

We have identified and fixed a security flaw which may affect Confluence instances in a public environment. This flaw is an HTTP header injection vulnerability in the Seraph web framework that is used by Confluence. This potentially allows a malicious user (attacker) to modify the HTTP response to insert malicious code. An attacker could present a modified URL to users (e.g. disguised in an email message). If any user clicks the URL, the malicious code would be executed in the user's session.

• 攻撃者は、この欠陥を利用して他のユーザーのセッション クッキーやその他の資格情報を盗んで、その資格情報を攻撃者自身の Web サーバーに送り返す可能性があります。
• また、攻撃者はセッション Cookie が盗まれたユーザーの権限に基づいて、基盤となるシステムを制御できます。
• 攻撃者は、ユーザーを望ましくない Web サイトにリダイレクトする可能性があります。これによって、貴社の評判が損なわれる可能性があります。

Atlassian recommends that you upgrade to Confluence 2.10.2 to fix the vulnerabilities described below.

Risk Mitigation

これらの脆弱性を解決するには、Confluence インストールをパッチ適用またはアップグレードすることを強くお勧めします。以下の「修正」セクションをご参照ください。

Alternatively, you may consider taking the following step, although the time required to fix this vulnerability and the extent of its effectiveness will depend on your application server running Confluence and its configuration:

• Consult the vendor of your application server to see whether your application server is immune to header injection vulnerabilities or has configuration options to prevent such attacks. For example, the Coyote (HTTP) connector in Tomcat version 5.5 and later is immune to header injection attacks, as acknowledged in this reference.
  Technical note: In your application server, header injection vulnerabilities can be mitigated if the setHeader(), addHeader(), and sendRedirect() methods in the HttpServletResponse class have their parameters properly checked for header termination characters.
  You may wish to forward this technical note to the vendor of your application server to help them assess the vulnerability of your application server to header injection attacks.

Vulnerability

Confluence 2.10.2 より前のすべてのバージョンは、このセキュリティ上の問題に対して脆弱性を持っています。

修正

この修正により、Seraph フレームワークは、ユーザーに送信する前にリダイレクト URL を正しくエンコードおよび検証するバージョンにアップデートされます。

To patch your existing installation of Confluence, please refer to CONF-14275. This JIRA issue contains the downloadable patch file and instructions on how to patch your existing Confluence installation.

Alternatively, install or upgrade to Confluence version 2.10.2. (See the release notes.) The Confluence 2.10.2 installation files can be downloaded from the download centre.

For more information, please refer to CONF-14275.