This advisory announces security vulnerabilities that we have found in Confluence and fixed in a recent version of Confluence. We also provide upgraded plugins and patches that you will be able to apply to existing installations of Confluence to fix these vulnerabilities. However, we recommend that you upgrade your complete Confluence installation rather than upgrading only the affected plugins. Enterprise Hosted customers should request an upgrade by raising a support request at http://support.atlassian.com. JIRA Studio is not vulnerable to the issues described in this advisory.

Atlassian is committed to improving product security. The vulnerabilities listed in this advisory have been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.

In this advisory:

XSS Vulnerabilities

深刻度

Atlassian rates the severity level of both these vulnerabilities as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, medium or low.
These vulnerabilities are not critical. This is an independent assessment and you should evaluate its applicability to your own IT environment.

Risk Assessment

We have identified and fixed cross-site scripting (XSS) vulnerabilities that may affect Confluence instances, including publicly available instances (that is, Internet-facing servers). XSS vulnerabilities allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at cgisecurity.com, The Web Application Security Consortium and other places on the web.

Vulnerability

The table below describes the Confluence versions and the specific functionality affected by the XSS vulnerabilities.

Risk Mitigation

We recommend that you upgrade your Confluence installation to fix these vulnerabilities.

Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can disable public signup to your wiki until you have applied the necessary patch or upgrade. For even tighter control, you could restrict access to trusted groups.

We also recommend that you read our guidelines on best practices for configuring Confluence security.

修正

These vulnerabilities (CONF-22402 and CONF-22479) are both fixed in Confluence 3.5.3, and later versions.
For a full description of the latest version of Confluence, see the release notes. You can download the latest version of Confluence from the download centre.

If you cannot upgrade to the latest version of Confluence, you can temporarily patch your existing installation using the patch listed below. We strongly recommend upgrading and not patching.

Patches

If you are running Confluence 3.5, we highly recommend that you upgrade to Confluence 3.5.3, or later.
If you are running Confluence 3.4, you can apply the following patch to fix the CONF-22479 vulnerability. The CONF-22402 vulnerability does not affect Confluence 3.4.

パッチ手順: パッチをインストールする

Confluence 3.4 ～ 3.4.9 用のパッチが利用可能です。

The patch addresses the following issue:

Security vulnerability in Confluence User Preferences (CONF-22479).

Applying the patch

Confluence 3.4 ～ 3.4.9: を使用している場合は、次の手順に従います。

1. Download the CONF-22479_patch.zip file that is attached to the CONF-22479 issue.
2. Confluence を停止します。
3. <confluence_install_dir> ディレクトリのバックアップを作成します。
4. ダウンロードした zip ファイルを <confluence_install_dir> に展開して、既存のファイルを上書きします。
5. 次のファイルが作成されたことを確認します。
   • confluence/WEB-INF/classes/com/atlassian/confluence/core/ConfluenceActionSupport.properties
   • confluence/WEB-INF/classes/com/atlassian/confluence/languages/DefaultLocaleManager.class
   • confluence/WEB-INF/classes/com/atlassian/confluence/user/actions/EditMySettingsAction.class
6. Confluence を再起動します。

XSRF の脆弱性

深刻度

Atlassian rates the severity level of both this vulnerability as medium, according to the scale published in Severity Levels for Security Issues for Security Issues. The scale allows us to rank the severity as critical, high, medium or low.
This vulnerability is not critical. This is an independent assessment and you should evaluate its applicability to your own IT environment.

Risk Assessment

We have identified and fixed a cross-site request forgery (XSRF) vulnerability that may affect Confluence instances, including publicly available instances (that is, Internet-facing servers). XSRF vulnerabilities allow an attacker to trick users into unintentionally adding bookmarks to Confluence spaces. You can read more about XSRF attacks at http://www.cgisecurity.com/csrf-faq.html and other places on the web.

Vulnerability

以下の表は、Confluence のバージョンと XSRF の脆弱性の影響を受ける特定の機能について説明しています。

Risk Mitigation

We recommend that you upgrade your Confluence installation to fix these vulnerabilities.

Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can disable public signup to your wiki until you have applied the necessary patch or upgrade. For even tighter control, you could restrict access to trusted groups.

We also recommend that you read our guidelines on best practices for configuring Confluence security for configuring Confluence security.

修正

This vulnerability (CONF-22565) is fixed in Confluence 3.5, and later versions.
For a full description of the latest version of Confluence, see the release notes. You can download the latest version of Confluence from the download centre.

If you cannot upgrade to the latest version of Confluence, you can temporarily patch your existing installation using the patch listed below. We strongly recommend upgrading and not patching.

Patches

If you are running Confluence 3.5, the CONF-22565 vulnerability is already fixed, but we highly recommend that you upgrade to the latest version of Confluence.
If you are running Confluence 3.4, you can apply the following patch to fix the CONF-22565 vulnerability.

プラグイン マネージャを使用した Confluence のプラグインのアップグレードの詳細については、次をご参照ください。

• 既存のプラグインをアップグレード

パッチ手順: パッチをインストールする

Confluence 3.4 ～ 3.4.9 用のパッチが利用可能です。

The patch addresses the following issue:

• Security vulnerability in Confluence Settings Social Bookmarking plugin (CONF-22565).

Applying the patch

If you are using Confluence 3.4 – 3.4.9, use the plugin manager to upgrade the Social Bookmarking plugin to a version equal to or greater than that specified in the file name above.
For details on using the plugin manager, see Upgrading your Existing Plugins.