Confluence セキュリティ勧告 - 2008-10-14

In this advisory:

Confluence におけるパラメータ インジェクションの脆弱性

深刻度

Atlassian rates this vulnerability as critical, according to the scale published in Confluence Security. The scale allows us to rank a vulnerability as critical, high, moderate or low.

Risk Assessment

悪意のあるユーザー (ハッカー) が URL 文字列にパラメーターを追加して Confluence リクエストに独自の値を注入できる欠陥を、特定して修正しました。この欠陥によって、ハッカーは Confluence のセキュリティ チェックを迂回して、実行が許可されていないアクションを実行できるようになります。

Risk Mitigation

To address the issue, you should upgrade Confluence as soon as possible or follow the patch instructions below. If you judge it necessary, you can block all untrusted IP addresses from accessing Confluence.

Vulnerability

ハッカーは Confluence サーバーで、Confluence のセキュリティ チェックをバイパスし、特定のアクションを実施するパラメータを含む URL 文字列を設計することができます。この原因は、Confluence がサーバーでアクションを適用する前に、ユーザー入力を適切にサニタイズしていないことです。

攻撃者がこの問題を悪用すると、データにアクセスしたりデータを変更したりして、Confluence アプリケーションを侵害できる可能性があります。

Confluence 1.3 ～ 2.9.1 のすべてのバージョンには脆弱性があります。

修正

This issue has been fixed in Confluence 2.9.2 (see the release notes), which you can download from the download centre.

If you do not wish to upgrade to Confluence 2.9.2, a patch is available that will work with any affected version of Confluence. You can download and install the patch from on our JIRA site. For more information, please refer to CONF-13092.

XSS Vulnerability in Various Confluence Actions and Plugins

深刻度

Atlassian rates these vulnerabilities as high, according to the scale published in Confluence Security. The scale allows us to rank a vulnerability as critical, high, moderate or low.

Risk Assessment

We have identified and fixed a number of security flaws which may affect Confluence instances in a public environment. The flaws are all XSS (cross-site scripting) vulnerabilities in various Confluence actions. Each vulnerability potentially allows a malicious user (hacker) to embed their own JavaScript into a Confluence page.

• ハッカーはこの欠陥を利用して他のユーザーのセッション クッキーやその他の資格情報を盗み、その資格情報をハッカー自身の Web サーバーに送り返す可能性があります。
• The hacker's text and script might be displayed to other people viewing the Confluence page. This is potentially damaging to your company's reputation.

You can read more about XSS attacks at cgisecurity, CERT and other places on the web.

Risk Mitigation

If you judge it necessary, you can disable public access (e.g. anonymous access and public signon) to your wiki until you have applied the necessary patch or upgrade. For even tighter control, you could restrict access to trusted groups.

Vulnerability

ハッカーは、以下の表に示す Confluence アクションに独自の JavaScript を注入できます。各アクションは、ユーザーが Confluence で特定の機能 (リンクやボタンのクリックなど) を実行したときに呼び出されます。アクションは、ブラウザーのアドレス バーに URL を入力するだけでも呼び出せます。不正な JavaScript は、ユーザーが URL を呼び出すときに実行されます。

For more details please refer to the related JIRA issue, also shown in the table below.

修正

These issues have been fixed in Confluence 2.9.2 (see the release notes), which you can download from the download centre.

If you do not wish to upgrade to Confluence 2.9.2, you can download and install the patches provided on our JIRA site. For more information, please refer to the specific JIRA issues shown in the table of vulnerabilities above.

Privilege Escalation Vulnerability in Confluence Watches

深刻度

Atlassian rates this vulnerability as high, according to the scale published in Confluence Security. The scale allows us to rank a vulnerability as critical, high, moderate or low.

Risk Assessment

We have identified and fixed a flaw which would allow an unauthorised user to add a Confluence page to the list of pages they are watching, even if the user does not have permission to view that page. Under some circumstances, the unauthorised user may thus have access to information they are not authorised to see.

Risk Mitigation

この欠陥によって、権限のないユーザーがページを更新できず、ユーザーには閲覧権限のない情報に対するアクセス権が付与される可能性があります。

Vulnerability

An unauthorised user can manipulate the HTTP request, so that it adds a watch to a page which the user does not have permission to view. The page then appears in the user's list of watched pages, displaying the page title and the corresponding space name. In this way, the user can bypass Confluence's permission checks and gain access to information they are not authorised to see.

Confluence 1.0 ～ 2.9.1 のすべてのバージョンには脆弱性があります。

修正

This issue has been fixed in Confluence 2.9.2 (see the release notes), which you can download from the download centre.

If you do not wish to upgrade to Confluence 2.9.2, you can download and install the patches provided on our JIRA site. For more information, please refer to CONF-13039.

Confluence のお気に入りにおける権限エスカレーションの脆弱性

深刻度

Atlassian rates this vulnerability as moderate, according to the scale published in Confluence Security. The scale allows us to rank a vulnerability as critical, high, moderate or low.

Risk Assessment

We have identified and fixed a flaw which would allow an unauthorised user to add a Confluence page to their list of favourites, even if the user does not have permission to view that page. Under some circumstances, the unauthorised user may thus have access to information they are not authorised to see.

Risk Mitigation

この欠陥によって、権限のないユーザーがページを更新できず、ユーザーには閲覧権限のない情報に対するごく限られたアクセス権のみが付与されます。

Vulnerability

An unauthorised user can manipulate the HTTP request, so that it marks as 'favourite' a page which the user does not have permission to view. The page is then added to the number of favourites for the user. The user cannot see the page title or content, but can see that the favourite count has been incremented.

Confluence 1.0 ～ 2.9.1 のすべてのバージョンには脆弱性があります。

修正

This issue has been fixed in Confluence 2.9.2 (see the release notes), which you can download from the download centre.

If you do not wish to upgrade to Confluence 2.9.2, you can download and install the patches provided on our JIRA site. For more information, please refer to CONF-13044.