Confluence セキュリティ勧告 - 2008-12-03

In this advisory:

さまざまな Confluence アクションの XSS 脆弱性

深刻度

Atlassian rates these vulnerabilities as high, according to the scale published in Confluence Security. The scale allows us to rank a vulnerability as critical, high, moderate or low.

Risk Assessment

We have identified and fixed a number of security flaws which may affect Confluence instances in a public environment. The flaws are all XSS (cross-site scripting) vulnerabilities in various Confluence actions. Each vulnerability potentially allows a malicious user (hacker) to embed their own JavaScript into a Confluence page.

• ハッカーはこの欠陥を利用して他のユーザーのセッション クッキーやその他の資格情報を盗み、その資格情報をハッカー自身の Web サーバーに送り返す可能性があります。
• The hacker's text and script might be displayed to other people viewing the Confluence page. This is potentially damaging to your company's reputation.

You can read more about XSS attacks at cgisecurity, CERT and other places on the web.

Risk Mitigation

If you judge it necessary, you can disable public access (e.g. anonymous access and public signon) to your wiki until you have applied the necessary patch or upgrade. For even tighter control, you could restrict access to trusted groups.

Vulnerability

ハッカーは独自の JavaScript をさまざまな Confluence URL に挿入できます。影響を受ける機能領域については、以下の表をご参照ください。ユーザーが Confluence で特定の機能 (リンクやボタンのクリックなど) を実行したときに、URL が呼び出されることがあります。URL は、ブラウザーのアドレス バーに入力するだけでも呼び出せます。このような URL に不正な JavaScript が挿入された場合は、ユーザーが URL を呼び出すと JavaScript が実行されます。

For more details please refer to the related JIRA issue, also shown in the table below.

* The patch for CONF-13717 also addresses the bug in CONF-13736.
** To fix this issue, please upgrade your Attachments plugin to the latest version. This plugin is available for Confluence 2.8.2, 2.9.2 and 2.10, via the Confluence Plugin Repository.

修正

These issues have been fixed in Confluence 2.10 (see the release notes), which you can download from the download centre.

If you do not wish to upgrade to Confluence 2.10, you can download and install the patches provided on our JIRA site. You will need to upgrade to the latest point release for the major version of Confluence that you are running (e.g. if you are running Confluence 2.8, you will need to upgrade to version 2.8.2) and then apply the patches. For more information, please refer to the specific JIRA issues shown in the table of vulnerabilities above.

課題の 1 つは、Confluence 2.10 にアップグレードすることによってのみ修正できることにご注意ください。詳しくは上の表をご確認ください。

ユーザーは編集した URL を指定してすべての添付ファイルのリストを表示できます

深刻度

Atlassian rates this vulnerability as medium, according to the scale published in Confluence Security. The scale allows us to rank a vulnerability as critical, high, moderate or low.

Risk Assessment

スペースレベルまたはページレベルの権限に関係なく、Confluence インスタンスのすべてのページにあるすべての添付ファイルのリストをユーザーが表示できるセキュリティ上の欠陥を、特定して修正しました。

ユーザーはファイルを開けませんが、ファイル名、ファイルが添付されているページ、作成者、添付ファイルの作成日と最終更新日など、さまざまなメタデータを表示できます。

Risk Mitigation

If you judge it necessary, you can disable anonymous access to your wiki until you have applied the necessary patch or upgrade.

Vulnerability

If a user removes the space key from the URL while viewing attachments for a space, Confluence will display the full list of all attachments for all spaces. For more details, please refer to CONF-13874.

修正

These issues have been fixed in Confluence 2.10 (see the release notes), which you can download from the download centre.

If you do not wish to upgrade to Confluence 2.10, you can download and install the patches provided in the JIRA issue, CONF-13874. You will need to upgrade to the latest point release for the major version of Confluence that you are running (e.g. if you are running Confluence 2.8, you will need to upgrade to version 2.8.2) and then apply the patch.