cloud-solutions-card copy

jsm-solutions-card

atlassian-services-solutions-card (2)

test-solutions-card

care-solutions-card

devops-solutions-card(1)

gdpr-solutions-card

      Solutions

      Expert consulting and managed services to help complex organisations to work flatter, faster and more dynamically.

      Gold Solution Partner clear

      BDQ.cloud are proud to be an Atlassian Gold Solution Partner.

      SOLUTIONS HOME →

        BDQ Originals

        EEASD_for_mega_menu_150x175

         

        BDQMAJC_for_mega_menu_150x175

          Other products

          Atlassian-vertical-blue@2x-rgb

           

          Sonatype_stacked_logo_full_color_150x150

             

             

            Zephyr Full Color

              Products

              Whether it's our own Atlassian Marketplace apps or the apps that we provide a value-added-reseller service for, you can trust BDQ for the best support, consultancy, training and implementation available.

              Products Home →

                zephyr-basicsjira-essentialsjsd-runningconfluence-essentials

                  zephyr-managementpart-1getting-startedconfluence-server(2)

                    zephyr-automationpart-2getting-moreportfolio-jira

                      Training

                      • We provide high quality technology training to customers in the UK, EU and US.

                      • Our customers range from small companies to multi-nationals. They all want to maximise employee productivity.

                      • We listen to what our customers want to achieve, and take this into account when delivering the courses.

                      Training Home →

                        Resources

                        From webinar recordings to whitepapers, case studies to blog posts. Help yourself to our free content that will hopefully inform and inspire.

                        Resources Home →
                          3 min read

                          Confluence Security Advisory

                          Featured Image

                          Are you a Confluence user? If so, you should be aware that Atlassian have today announced two critical security vulnerabilities (both Server and Data Center versions but not Cloud).

                          There's more information from Atlassian here: Confluence Security Advisory - 2019-03-20

                          Here's the detail you need to know.

                          What are the vulnerabilities?

                          WebDAV vulnerability - CVE-2019-3395

                          • Critical
                          • Atlassian issue: SSRF via WebDAV endpoint - CVE-2019-3395
                          • A remote attacker is able to exploit a Server-Side Request Forgery (SSRF) vulnerability in the WebDAV plugin to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance.
                          • This means that an attacker could send requests to other systems and make it appear that they come from yours. 

                          Widget Connector vulnerability - CVE-2019-3396

                          • Critical
                          • Atlassian issue: Remote code execution via Widget Connector macro - CVE-2019-3396
                          • There was an server-side template injection vulnerability in Confluence Server and Data Center, in the Widget Connector. An attacker is able to exploit this issue to achieve server-side template injection, path traversal and remote code execution on systems that run a vulnerable version of Confluence Server or Data Center.
                          • An attacker could make arbitrary changes to the Confluence system (e.g. replacing the login page to capture passwords) and can compromise the whole server. This is a very serious vulnerability.
                                      

                          Which versions of Confluence are affected?

                          • All 1.x.x, 2.x.x, 3.x.x, 4.x.x and 5.x.x versions
                          • All 6.1.x, 6.2.x, 6.3.x, 6.4.x, and 6.5.x versions
                          • All 6.6.x versions before 6.6.12
                          • All 6.7.x, 6.8.x, 6.9.x, 6.10.x and 6.11.x versions
                          • All 6.12.x versions before 6.12.3
                          • All 6.13.x versions before 6.13.3
                          • All 6.14.x versions before 6.14.2

                          Is there a workaround?

                          Yes, customers can apply a pretty simple but temporary workaround:

                          If you are unable to upgrade Confluence immediately, then as a temporary workaround, you can go to cog Manage apps / add-ons and disable the following system plugins in Confluence:

                          • WebDAV plugin
                          • Widget Connector

                          Once you have upgraded Confluence, you can re-enable these plugins. 

                          Anyone with an affected version of Confluence should apply this fix, but it is especially important for anyone with an internet facing installation and should be done immediately. 

                          But the overall best solution is to upgrade Confluence to a later version as soon as possible.

                          We can help

                          If you have any questions, or need help with upgrading Confluence, please just get in touch.

                          About BDQ

                          BDQ is a digital transformation specialist founded in London. We combine great products with highly experienced consultants to help our customers manage tasks, automate work and collaborate more effectively.