Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.3305
Critical: Confluence Server and Confluence Data Center -
Local File Disclosure
30 August 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Confluence Server
Confluence Data Center
Publisher: Atlassian
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Access Privileged Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2019-3394
Original Bulletin:
https://confluence.atlassian.com/doc/confluence-security-advisory-2019-08-28-976161720.html
Comment: Atlassian notes that cloud instances are not affected.
- --------------------------BEGIN INCLUDED TEXT--------------------
Confluence Security Advisory - 2019-08-28
Confluence Server and Confluence Data Center - Local File Disclosure -
CVE-2019-3394
Summary CVE-2019-3394 - Local File Disclosure via Export
Advisory Release Date 28 Aug 2019 10 AM PDT (Pacific Time, -7 hours)
Product Confluence Server and Confluence Data Center
* 6.1.0 <= version < 6.6.16
* 6.7.0 <= version < 6.13.7
* 6.14.0 <= version < 6.15.8
* All 6.1.x versions
* All 6.2.x versions
* All 6.3.x versions
* All 6.4.x versions
* All 6.5.x versions
Affected Confluence Server * All 6.6.x versions before 6.6.16 (the fixed
Versions version for 6.6.x)
* All 6.7.x versions
* All 6.8.x versions
* All 6.9.x versions
* All 6.10.x version
* All 6.11.x versions
* All 6.12.x versions
* All 6.13.x versions before 6.13.7 (the fixed
version for 6.13.x)
* All 6.14.x versions
* All 6.15.x versions before 6.15.8 (the fixed
version for 6.15.x)
Fixed Confluence Server * 6.6.16
Versions * 6.13.7
* 6.15.8
CVE ID(s) CVE-2019-3394
Summary of Vulnerability
This advisory discloses a critical severity security vulnerability which was
introduced in version 6.1.0 of Confluence Server and Confluence Data Center.
Versions of Confluence Server and Confluence Data Center starting with 6.1.0
before 6.6.16 (the fixed version for 6.6.x), from 6.7.0 before 6.13.7 (the
fixed version for 6.13.x), and from 6.14.0 before 6.15.8 (the fixed version for
6.15.x) are affected by this vulnerability.
Atlassian Cloud instances are not affected by the issue described on this
page.
Customers who have upgraded Confluence Server or Confluence Data Center to
version 6.6.16, 6.13.7 or 6.15.8 are not affected .
Customers who have downloaded and installed the following versions of
Confluence Server or Data Center are affected:
* All 6.1.x versions
* All 6.2.x versions
* All 6.3.x versions
* All 6.4.x versions
* All 6.5.x versions
* All 6.6.x versions before 6.6.16 (the fixed version for 6.6.x)
* All 6.7.x versions
* All 6.8.x versions
* All 6.9.x versions
* All 6.10.x versions
* All 6.11.x versions
* All 6.12.x versions
* All 6.13.x versions before 6.13.7 (the fixed version for 6.13.x)
* All 6.14.x versions
* All 6.15.x versions before 6.15.8 (the fixed version for 6.15.x)
Please upgrade your Confluence Server or Confluence Data Center installations
immediately to fix this vulnerability.
Local File Disclosure - CVE-2019-3394
Severity
Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT
environment.
Description
Confluence Server and Data Center had a local file disclosure vulnerability in
the page export function. A remote attacker who has Add Page space permission
would be able to read arbitrary files in the <install-directory>/confluence/
WEB-INF directory, which may contain configuration files used for integrating
with other services, potentially leaking credentials, such as LDAP credentials,
or other sensitive information. The potential to leak LDAP credentials exists
if LDAP credentials are specified in an atlassian-user.xml file, which is a
deprecated method for configuring LDAP integration.
To determine the impact of this vulnerability, please check your
<install-directory>/confluence/WEB-INF directory and its subdirectories
(especially /classes/) for any files that contain LDAP or Crowd credentials
( crowd.properties, atlassian-user.xml), or files that contain any other
sensitive data that an administrator may have put in this directory. If nothing
is found, this vulnerability is not immediately exploitable.
If credentials are found in these directories, you should cycle the passwords.
All versions of Confluence Server and Confluence Data Center from 6.1.0 before
6.6.16 (the fixed version for 6.6.x), from 6.7.0 before 6.13.7 (the fixed
version for 6.13.x), and from 6.14.0 before 6.15.8 (the fixed version for
6.15.x) are affected by this vulnerability.
This issue can be tracked here: CONFSERVER-58734 - Getting issue details...
STATUS
Acknowledgements
We would like to acknowledge "Magic Ice Cream Shop" for finding this
vulnerability.
Fix
We have taken the following steps to address this issue:
* Released Confluence Server and Data Center version 6.15.8 that contains a
fix for this issue, and can be be downloaded from https://www.atlassian.com
/software/confluence/download/.
* Released Confluence Server and Data Center versions 6.6.16 and 6.13.7 that
contains a fix for this issue, and can be be downloaded from https://
www.atlassian.com/software/confluence/download-archives.
What You Need to Do
Atlassian recommends that you upgrade to the latest version (6.15.8). For a
full description of the latest version of Confluence Server, see the 6.15
Release Notes. You can download the latest version of Confluence Server from
the Atlassian website and find our Confluence installation and upgrade guide
here.
If you cannot upgrade Confluence Server or Confluence Data Center to version
6.15.8 or higher:
(1) If you have a current Enterprise Release version (an Enterprise Release
version released on 28th August 2017 or later), upgrade to the latest version
of your Enterprise Release version.
If you have Enterprise Release version... then upgrade
to version:
6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.16
6.6.9, 6.6.10, 6.6.11, 6.6.12, 6.6.13, 6.6.14, 6.6.15
6.13.0, 6.13.1, 6.13.2, 6.13.3, 6.13.4, 6.13.5, 6.13.6 6.13.7
(2) If you have an older version (a feature version released before 28th
February 2019, or an Enterprise Release version released before 28th August
2017), either upgrade to the latest version of Confluence Server or Data Center
, or to the latest version of an Enterprise Release version.
If you are running Confluence 6.10 because you are unable to upgrade to a later
version due to compatibility issues with Companion App (which replaced Edit in
Office), upgrade to either 6.15.8 or 6.13.7 (Enterprise Release) and follow the
steps in our documentation to enable the legacy Edit in Office feature.
Mitigation
If you are unable to upgrade Confluence immediately or are in the process of
migrating to Confluence Cloud, then as a temporary workaround you can use the
atlassian.confluence.export.word.max.embedded.images system property to set
the maximum number of images to include in Word exports to zero. This will
prevent images from being embedded in Word exports.
How you apply the system property depends on how you run Confluence.
Run Confluence as a Windows service...
1. In Windows, go to Services and locate your Confluence service. It will be
called something like "Atlassian Confluence Confluence12345678"
2. Double click the Confluence service, and make a note of the Service name.
It will be something like "Confluence12345678".
3. Open Command Prompt and cd to the <install-directory>\bin directory.
4. Run the following command, where SERVICENAME is your service name.
tomcat9w //ES//SERVICENAME
Note that the Tomcat version may be different in your version of
Confluence. You can check the name of your Tomcat file in the
<install-directory>/bin (it will be either tomcat8w.exe, or tomcat9w.exe)
5. The Services dialog will appear, this time with a Java tab.
6. In the Java Options field, add the following on a new line:
-Datlassian.confluence.export.word.max.embedded.images=0
7. Save your changes, and restart the service for the changes to take effect.
See Configuring System Properties for more detailed information on how to pass
this system property.
Start Confluence on Windows manually...
1. Stop Confluence.
2. Edit the <install-directory>/bin/setenv.bat file.
3. In the block that configures the CATALINA_OPTS variable, add the following
line:
set CATALINA_OPTS=-Datlassian.confluence.export.word.max.embedded.images=0 %CATALINA_OPTS%
4. Save the file and restart Confluence.
Start Confluence on Linux manually...
1. Stop Confluence.
2. Edit the <install-directory>/bin/setenv.sh file.
3. In the block the configures the CATALINA_OPTS variable, add the following
line:
CATALINA_OPTS="-Datlassian.confluence.export.word.max.embedded.images=0 ${CATALINA_OPTS}"
4. Save the file and restart Confluence.
See Configuring System Properties for more detailed information on how to pass
this system property when running Confluence in AWS using our Quick Start
templates, or as a Windows service.
To verify that the workaround was applied correctly:
1. Create a page with an image.
2. Export the page to word.
3. Verify that the image is not embedded in the exported file.
Support
If you did not receive an email for this advisory and you wish to receive such
emails in the future go to https://my.atlassian.com/email and subscribe
to Alerts emails.
If you have questions or concerns regarding this advisory, please raise a
support request at https://support.atlassian.com/.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXWivpGaOgq3Tt24GAQhbrRAAq8Nz4C0mbWXHIzWA4gu42hzhGasxONG4
nLeL8aAwb8qV+TyE/BYIa7vGdPnVQOw9uu8h/WvUIsYJuSAymqZ97hp4fV3GhvKn
bIR73EIKmqAgYiX4Dm0UYTIWJg67R8E4wofDHf7R9iqqgugyVexe+5J3tHhS8R3K
pvlJl7DllXT9reDW8OmeAYrKTBrEivCkbBAxNa/bMMouYI4P1QIYu+K0o0NDqnwN
x9FN6MONMHfxk12AeNvAxpqqjl/v1Qp7djyZF1OSUJbX+iCc/XjdR+5WZsYSpWJj
FknjO+v43fA4Qb5L7B98+uy99N3fmwtmBML/MqBBa3QZHJ33NjUhr0OdFCrNWB0A
btOHBuDEWquE5YMTJM6RIRr64uMjMNoCh4M5jAscLA1r4RrAZQGemCSx4vBvpr+F
9oEcvuyeQj5lobQRNDTAmvOAB4k+vQK36MIr2KmR7wQ2K41yyHoc9T6ZCvV9J+u0
3MezX8u+DRbdKCHuEYk/sPFLIuRwiTzmywglnaG4MLp5uNhLT++Fj7JVFe2df5WN
U5vDlxgFIUTxIdxhwoeOeWvGgHNp2pY/JtM08gNVJwTwKxhDmc+4zANToBUjwZIX
qWphWMnm4EsTvgg0Tm863U4uirtOf7edBu0RUCxyyJzUABFe3buFQkZSlxiQZfwj
8Ppyv8XMbu4=
=40zK
-----END PGP SIGNATURE-----