Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2014.0021 A vulnerability has been identified in Atlassian Confluence 27 February 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Atlassian Confluence Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade Member content until: Saturday, March 29 2014 OVERVIEW A vulnerability has been identified in Atlassian Confluence up to and including version 5.4.1. IMPACT The vendor has provided the following details regarding the issue: "User privilege escalation Severity Atlassian rates the severity level of this vulnerability as critical, according to the scale published in Severity Levels of Security Issues. The scale allows us to rank the severity as critical, high, moderate or low. This is an independent assessment and you should evaluate its applicability to your own IT environment. Description We have identified and fixed a vulnerability in Confluence which allowed unauthenticated users to commit actions on behalf of any other authorised user. In order to exploit this vulnerability, an attacker requires access to Confluence web interface. The vulnerability affects all supported versions of Confluence up to and including 5.4.1. (info) Versions 5.3.4, 5.4 and 5.4.1 are not vulnerable but require patches for compatibility purposes in order to be able to connect to patched or upgraded versions of JIRA and other Atlassian products. You do not need to patch these versions if you are not using Application Links with Trusted Applications authentication configured. This issue has been fixed in 5.4.2. The issue is tracked in CONF-31628 - Privilege escalation RESOLVED. " [1] MITIGATION The vendor recommends updating to the latest version of Confluence to correct this vulnerability. REFERENCES [1] Confluence Security Advisory 2014-02-26 https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2014-02-26 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUw7gjRLndAQH1ShLAQIUZw/+LJEWB9pG3UXhwQvMjbSQJZ/ZZ++G8dvl onavmQO0NV/Qw4lJpp7+KDs+XLT9Ii8SajmtJLn7A8SQT6JmHCPKs9J1fvuhArMf rcEje736Z57xEmVG1VlCQaTX9ChKzovqYwcLTSuVQgJzngbwLDY9pshexHx4CiMe sUC9vE2Ay80pJgTjPok7qD6QX5GXjIWkZpQcG4D2g9CwCWKnbp5DETINjbByDXCv Xd8OyzoiNtN0CqadnUmzKC4UGaSVLzjH/45C4KTYDK8jBFrRYW1bE7yJpIEI/h4q 9zbebV4YnP2rKb6dEmBTPKIzDAdx4n9olZvPdjagMnjHNpsrmJt+4MZtcnTggnCb BufdrNmvX3PDF6MrIWd90nZxLnuW7mRNaDHYlWJ5fBdc+2vLeONgJ7XeE4WqM8g1 nnklnKvfbXOhGOl9UXL6janAfvMdl4o+V3Ldid/xvFb2btR+w9o7+q1NumAMUg8i ORxqY9x7jC9oVgBp28OeT1fTqVfXbm7F9JSsfgLJFw6rdpvuwCBK6f+nuuRB3n9X 7rQ5hy8LkjbC7AfAwdoZ7K2Xv079ohDoKo2mcr4KT9YLq5tKXC/Uxp8RUczYAXmN qV6W7tyaB9JNtJKpcUpBq1XQRasaCSJhnvQae2OLBy2/O7GrDtVQbLfcW7kTPbZj aYOtP/NtuY4= =/cAD -----END PGP SIGNATURE-----