enhancement-hours

cloud-migration

fixed-price-assessment

devops

gdpr

test

    jira-itsm

    pii

    atlassian-solutions

    bdq-atlassiancare

    app4legal

    asana

      Solutions

      Expert consulting and managed services to help complex organisations to work flatter, faster and more dynamically.atlassian-gold-partner-300x150-1
      alm-partner-300x150
      app4legal-platinum-partner-300x150
      asana-partner-300x150
      qmetry-colour-logo-transparent-300x150

       

       
       
       
       
       
       
       
       
      SOLUTIONS HOME →

        BDQ Originals

        EEASD_for_mega_menu_150x175

        BDQMAJC_for_mega_menu_150x175

          Other products

          Atlassian-vertical-blue@2x-rgb

          Sonatype_stacked_logo_full_color_150x150


            asana-colour-clear-300x300

            app4legal-300x300

            zephyr-colour-clear-300x300

             

              Products

              Whether it's our own Atlassian Marketplace apps or the apps that we provide a value-added-reseller service for, you can trust BDQ for the best support, consultancy, training and implementation available.

              Products Home →

                Training

                • We provide high quality technology training to customers in the UK, EU and US.

                • Our customers range from small companies to multi-nationals. They all want to maximise employee productivity.

                • We listen to what our customers want to achieve, and take this into account when delivering the courses.

                home-icon-300x300Training Home →

                  Resources

                  From webinar recordings to whitepapers, case studies to blog posts. Help yourself to our free content that will hopefully inform and inspire.

                  Resources Home →
                    3 min read

                    Confluence Security Advisory

                    Featured Image

                    Are you a Confluence user? If so, you should be aware that Atlassian have today announced two critical security vulnerabilities (both Server and Data Center versions but not Cloud).

                    There's more information from Atlassian here: Confluence Security Advisory - 2019-03-20

                    Here's the detail you need to know.

                    What are the vulnerabilities?

                    WebDAV vulnerability - CVE-2019-3395

                    • Critical
                    • Atlassian issue: SSRF via WebDAV endpoint - CVE-2019-3395
                    • A remote attacker is able to exploit a Server-Side Request Forgery (SSRF) vulnerability in the WebDAV plugin to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance.
                    • This means that an attacker could send requests to other systems and make it appear that they come from yours. 

                    Widget Connector vulnerability - CVE-2019-3396

                    • Critical
                    • Atlassian issue: Remote code execution via Widget Connector macro - CVE-2019-3396
                    • There was an server-side template injection vulnerability in Confluence Server and Data Center, in the Widget Connector. An attacker is able to exploit this issue to achieve server-side template injection, path traversal and remote code execution on systems that run a vulnerable version of Confluence Server or Data Center.
                    • An attacker could make arbitrary changes to the Confluence system (e.g. replacing the login page to capture passwords) and can compromise the whole server. This is a very serious vulnerability.
                                

                    Which versions of Confluence are affected?

                    • All 1.x.x, 2.x.x, 3.x.x, 4.x.x and 5.x.x versions
                    • All 6.1.x, 6.2.x, 6.3.x, 6.4.x, and 6.5.x versions
                    • All 6.6.x versions before 6.6.12
                    • All 6.7.x, 6.8.x, 6.9.x, 6.10.x and 6.11.x versions
                    • All 6.12.x versions before 6.12.3
                    • All 6.13.x versions before 6.13.3
                    • All 6.14.x versions before 6.14.2

                    Is there a workaround?

                    Yes, customers can apply a pretty simple but temporary workaround:

                    If you are unable to upgrade Confluence immediately, then as a temporary workaround, you can go to cog Manage apps / add-ons and disable the following system plugins in Confluence:

                    • WebDAV plugin
                    • Widget Connector

                    Once you have upgraded Confluence, you can re-enable these plugins. 

                    Anyone with an affected version of Confluence should apply this fix, but it is especially important for anyone with an internet facing installation and should be done immediately. 

                    But the overall best solution is to upgrade Confluence to a later version as soon as possible.

                    We can help

                    If you have any questions, or need help with upgrading Confluence, please just get in touch.

                    About BDQ

                    BDQ is a digital transformation specialist founded in London. We combine great products with highly experienced consultants to help our customers manage tasks, automate work and collaborate more effectively.