Confluence Security Advisory

Are you a Confluence user? If so, you should be aware that Atlassian have today announced two critical security vulnerabilities (both Server and Data Center versions but not Cloud).

There's more information from Atlassian here: Confluence Security Advisory - 2019-03-20

Here's the detail you need to know.

What are the vulnerabilities?

WebDAV vulnerability - CVE-2019-3395

• Critical
• Atlassian issue: SSRF via WebDAV endpoint - CVE-2019-3395
• A remote attacker is able to exploit a Server-Side Request Forgery (SSRF) vulnerability in the WebDAV plugin to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance.
• This means that an attacker could send requests to other systems and make it appear that they come from yours. 

Widget Connector vulnerability - CVE-2019-3396

• Critical
• Atlassian issue: Remote code execution via Widget Connector macro - CVE-2019-3396
• There was an server-side template injection vulnerability in Confluence Server and Data Center, in the Widget Connector. An attacker is able to exploit this issue to achieve server-side template injection, path traversal and remote code execution on systems that run a vulnerable version of Confluence Server or Data Center.
• An attacker could make arbitrary changes to the Confluence system (e.g. replacing the login page to capture passwords) and can compromise the whole server. This is a very serious vulnerability.
            

Which versions of Confluence are affected?

• All 1.x.x, 2.x.x, 3.x.x, 4.x.x and 5.x.x versions
• All 6.1.x, 6.2.x, 6.3.x, 6.4.x, and 6.5.x versions
• All 6.6.x versions before 6.6.12
• All 6.7.x, 6.8.x, 6.9.x, 6.10.x and 6.11.x versions
• All 6.12.x versions before 6.12.3
• All 6.13.x versions before 6.13.3
• All 6.14.x versions before 6.14.2
  
  

Is there a workaround?

Yes, customers can apply a pretty simple but temporary workaround:

If you are unable to upgrade Confluence immediately, then as a temporary workaround, you can go to  > Manage apps / add-ons and disable the following system plugins in Confluence:

• WebDAV plugin
• Widget Connector

Once you have upgraded Confluence, you can re-enable these plugins. 

Anyone with an affected version of Confluence should apply this fix, but it is especially important for anyone with an internet facing installation and should be done immediately. 

But the overall best solution is to upgrade Confluence to a later version as soon as possible.

We can help

If you have any questions, or need help with upgrading Confluence, please just get in touch.

About BDQ

BDQ is a digital transformation specialist founded in London. We combine great products with highly experienced consultants to help our customers manage tasks, automate work and collaborate more effectively.