Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.1083
Confluence Security Advisory 2013-08-05
7 August 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Atlassian Confluence
Publisher: Atlassian
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Patch/Upgrade
Original Bulletin:
https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2013-08-05
- --------------------------BEGIN INCLUDED TEXT--------------------
Confluence Security Advisory 2013-08-05
Added by Vitaly Osipov [Atlassian], last edited by Vitaly Osipov
[Atlassian] on Aug 06, 2013
This advisory discloses a critical security vulnerability that we have found in
Confluence and fixed in a recent version of Confluence.
Customers who have downloaded and installed Confluence should upgrade their
existing Confluence installations or apply the patch to fix this
vulnerability.
Atlassian OnDemand customers have been upgraded with the fix for the issue
described in this advisory.
No other Atlassian products are affected.
The vulnerability affects all versions of Confluence up to and including 5.1.4.
Atlassian is committed to improving product security. We fully support the
reporting of vulnerabilities and we appreciate it when people work with us to
identify and solve the problem.
If you have questions or concerns regarding this advisory, please raise a
support request at http://support.atlassian.com.
OGNL double evaluation in atlassian-xwork
Severity
Atlassian rates the severity level of this vulnerability as critical,
according to the scale published in Severity Levels of Security Issues. The
scale allows us to rank the severity as critical, high, moderate or low.
This is an independent assessment and you should evaluate its applicability to
your own IT environment.
Description
We have fixed a vulnerability in our version of Xwork. In specific
circumstances, attackers can use this vulnerability to execute Java code of
their choice on systems that use these frameworks. The attacker needs to be
able to access the Confluence web interface. In cases when anonymous access is
enabled, a valid user account is not required to exploit this vulnerability.
The vulnerability affects all versions of Confluence up to and including 5.1.4.
It has been fixed in 5.1.5. The issue is tracked in CONF-30221 - OGNL double
evaluation in atlassian-xwork ( Resolved) .
Our thanks to Reginaldo Silva (http://www.ubercomp.com/) who reported the
vulnerability in this advisory.
Risk Mitigation
If you are unable to upgrade or patch your Confluence server you can do the
following as a temporary workaround:
Block access to all URLs on a Web Application Firewall or a reverse proxy
that contain a string "${" in URL parameters or request body. Note that
this string can be URL-encoded. Do not apply this or a similar filter
together with the patch provided below, as the login page will break.
Block access to your Confluence server web interface from untrusted
networks, such as the Internet.
Fix
This vulnerability can be fixed by upgrading Confluence. There is also a patch
available for this vulnerability for all supported versions of Confluence. If
you have any questions, please raise a support request at
http://support.atlassian.com. We recommend upgrading.
The Security Patch Policy describes when and how we release security patches
and security upgrades for our products.
Upgrading Confluence
Upgrade to Confluence 5.1.5 or a later version, which fixes this vulnerability.
For a full description of these releases, see the Confluence Release Notes. You
can download these versions of Confluence from the download centre. If you
have migrated from Atlassian OnDemand and are using Confluence 5.x-OD, you
should upgrade to 5.2-OD-13-1.
Patches
We recommend patching only when you cannot upgrade or cannot apply external
security controls. Patches are usually only provided for vulnerabilities of
critical severity (as per our Security Patch Policy) as an interim solution
until you can upgrade. You should not expect that you can continue patching
your system instead of upgrading. Our patches are often non-cumulative - we do
not recommend that you apply multiple patches from different advisories on top
of each other, but strongly recommend upgrading to the most recent version
regularly.
If for some reason you cannot upgrade to the latest version of Confluence, you
must apply the patch provided below to fix the vulnerability described in this
advisory. It has been tested for all supported versions of Confluence and may
work for unsupported versions as well.
Download the patch file.
Version Patch Tracking issue
Confluence 3.5 - 5.1.4 xwork-1.0.3.6.jar CONF-30221 - OGNL double evaluation
in atlassian-xwork ( Resolved)
MD5 (xwork-1.0.3.6.jar) = 59c8950b1129637bb63aea94b4139d7f
Shutdown Confluence.
Move file <CONFLUENCE-INSTALL>/confluence/WEB-INF/lib/xwork-1.x.x.x.jar to
a location outside the <CONFLUENCE-INSTALL> folder.
Add the downloaded xwork-1.0.3.6.jar file to folder
<CONFLUENCE-INSTALL>/confluence/WEB-INF/lib/.
Start up Confluence again.
To confirm that you have applied the patch successfully, check the version of
the xwork jar that has been loaded into Confluence as follows.
Log in as administrator.
Navigate to /admin/classpath.action URL on your instance and search for
"/xwork-".
There should be a single hit: xwork-1.0.3.6.jar. This confirms that the
patch has been correctly applied.
Note: This patch has the following side effect.
If you have configured all of the below:
allowed anonymous access in global permissions
allowed anonymous view in space permissions
restricted some content in that space so that anonymous cannot view it
then any time a non-logged-in user tries to view the restricted content they
will be redirected to a login page normally, but once they are logged in they
will be redirected to the site homepage, not their original destination.
Workaround: Once the user has logged in, they should manually navigate back to
the page they intended to view.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUgHRTBLndAQH1ShLAQJSaQ/+IOgD79fiytkX+jClAom1VJdsJd4Iyu39
vu8RzkqmgyP8FWfhjuZ9JIsTUo/5f1vw3O/QyD5IdeFd87vQFbgQswVG2jYsE/Md
hkMoArivszNRbk3MBk5UH9hwigT6n3ZdmOuj3ko4df1ki/+RNLlYUvxg7siQN2pR
MoNhwv+xGbQnktIQc8wu6f1KtKpGnyrOy/67R2Li8nJBqbKSr5RmB4snD5VNc8JC
uMWrrkNZPkJ2iJXTVxzUiwkwOrDlsu0/7k9GornAfad1+z+dpOTYP9wBRUZDRpXq
jkMnaBqYeHJUe0Jd+jl+XuqaTZyDeIk6xas3Yd2vT+WAozojeig9FERUxQfkq5nl
/OeEmlej0oEPS1UsJc14am1zkPuHf0+Mr+s9a9tHUr0RLVuordZ5cqhSVku8R+MY
GIvPdQ60rfiX8kvuZJyUDfka/ral/0TUlE7wI8SZkBxdalUS1l2JXUuPjUlwRPia
8dtHBhqIitCYgzGs67g4uAPj7VSbyU2bl59fpNH7E/7+gnMnqaOV33usnfPxCFqT
2elmwsaiBXGmv4bRFAS1i9pYcFixl6QF/B6PEmER/IL+IXxkt/v76M01pzXyLIZT
+eiGgjjrRIKyrZLdPYx/92XC07QvB7gRDHOMja5e6WLnnDGCcOHd4Ml4KQnMAAMc
wXagU1S1DHw=
=sw3b
-----END PGP SIGNATURE-----