Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

                  Confluence Security Advisory 2013-08-05
                               7 August 2013


        AusCERT Security Bulletin Summary

Product:           Atlassian Confluence
Publisher:         Atlassian
Operating System:  UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:        Patch/Upgrade

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

Confluence Security Advisory 2013-08-05

    Added by Vitaly Osipov [Atlassian], last edited by Vitaly Osipov 
    [Atlassian] on Aug 06, 2013

This advisory discloses a critical security vulnerability that we have found in
Confluence and fixed in a recent version of Confluence.

    Customers who have downloaded and installed Confluence should upgrade their
    existing Confluence installations or apply the patch to fix this 
    Atlassian OnDemand customers have been upgraded with the fix for the issue
    described in this advisory.
    No other Atlassian products are affected.

The vulnerability affects all versions of Confluence up to and including 5.1.4.

Atlassian is committed to improving product security. We fully support the 
reporting of vulnerabilities and we appreciate it when people work with us to 
identify and solve the problem.

If you have questions or concerns regarding this advisory, please raise a 
support request at http://support.atlassian.com.

OGNL double evaluation in atlassian-xwork


Atlassian rates the severity level of this vulnerability as critical, 
according to the scale published in Severity Levels of Security Issues. The 
scale allows us to rank the severity as critical, high, moderate or low.

This is an independent assessment and you should evaluate its applicability to
your own IT environment.


We have fixed a vulnerability in our version of Xwork. In specific 
circumstances, attackers can use this vulnerability to execute Java code of 
their choice on systems that use these frameworks. The attacker needs to be 
able to access the Confluence web interface. In cases when anonymous access is 
enabled, a valid user account is not required to exploit this vulnerability.

The vulnerability affects all versions of Confluence up to and including 5.1.4.
It has been fixed in 5.1.5. The issue is tracked in  CONF-30221 - OGNL double 
evaluation in atlassian-xwork ( Resolved) .

Our thanks to Reginaldo Silva (http://www.ubercomp.com/) who reported the 
vulnerability in this advisory.

Risk Mitigation

If you are unable to upgrade or patch your Confluence server you can do the 
following as a temporary workaround:

    Block access to all URLs on a Web Application Firewall or a reverse proxy
    that contain a string "${" in URL parameters or request body. Note that 
    this string can be URL-encoded. Do not apply this or a similar filter 
    together with the patch provided below, as the login page will break.

    Block access to your Confluence server web interface from untrusted 
    networks, such as the Internet.


This vulnerability can be fixed by upgrading Confluence. There is also a patch 
available for this vulnerability for all supported versions of Confluence. If 
you have any questions, please raise a support request at 
http://support.atlassian.com. We recommend upgrading.

The  Security Patch Policy describes when and how we release security patches 
and security upgrades for our products.  

Upgrading Confluence

Upgrade to Confluence 5.1.5 or a later version, which fixes this vulnerability.
For a full description of these releases, see the Confluence Release Notes. You
can download these versions of Confluence from the  download centre.  If you 
have migrated from Atlassian OnDemand and are using Confluence 5.x-OD, you 
should upgrade to 5.2-OD-13-1. 


We recommend patching only when you cannot upgrade or cannot apply external 
security controls. Patches are usually only provided for vulnerabilities of 
critical severity (as per our  Security Patch Policy) as an interim solution 
until you can upgrade. You should not expect that you can continue patching 
your system instead of upgrading. Our patches are often non-cumulative - we do
not recommend that you apply multiple patches from different advisories on top 
of each other, but strongly recommend upgrading to the most recent version 

If for some reason you cannot upgrade to the latest version of Confluence, you
must apply the patch provided below to fix the vulnerability described in this
advisory. It has been tested for all supported versions of Confluence and may 
work for unsupported versions as well.

    Download the patch file.

Version	    		Patch	    		Tracking issue
Confluence 3.5 - 5.1.4	xwork-	CONF-30221 - OGNL double evaluation
						in atlassian-xwork ( Resolved)

    MD5 (xwork- = 59c8950b1129637bb63aea94b4139d7f
    Shutdown Confluence.
    Move file <CONFLUENCE-INSTALL>/confluence/WEB-INF/lib/xwork-1.x.x.x.jar to 
    a location outside the <CONFLUENCE-INSTALL> folder.
    Add the downloaded xwork- file to folder 

    Start up Confluence again.

To confirm that you have applied the patch successfully, check the version of 
the xwork jar that has been loaded into Confluence as follows.

    Log in as administrator.
    Navigate to /admin/classpath.action URL on your instance and search for 
    There should be a single hit: xwork- This confirms that the 
    patch has been correctly applied.

Note: This patch has the following side effect.

If you have configured all of the below:

    allowed anonymous access in global permissions
    allowed anonymous view in space permissions
    restricted some content in that space so that anonymous cannot view it

then any time a non-logged-in user tries to view the restricted content they 
will be redirected to a login page normally, but once they are logged in they 
will be redirected to the site homepage, not their original destination.

Workaround: Once the user has logged in, they should manually navigate back to 
the page they intended to view.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967