Urgent: Serious Vulnerability Found in Confluence Server and Data Center Products

By Dave Theodore
Atlassian Team Manager

On Wednesday August 28, 2019, Atlassian announced a critical “Confluence Local File Disclosure.” In certain cases, this vulnerability allows a remote user to view the contents of files on the Confluence server file system. Some configurations of Confluence may have files with credentials embedded in that can be exposed to a remote attacker. Atlassian views this as a critical vulnerability, requiring immediate attention.

What you need to know…

  • Versions affected: This vulnerability affects all Confluence 6.X versions except for 6.6.16, 6.13.7 and 6.15.8.
  • Versions already fixed: 6.6.16, 6.13.7 and 6.15.8.
  • Location and description of vulnerability: This vulnerability allows an attacker with login access and “Add Page” permission to read files contained in the /confluence/WEB-INF directory tree. There may be files within this directory structure that contain credentials and other information useful in malicious activities.

Recommended action: Implement the short term workaround immediately and upgrade to a non-vulnerable version as soon as possible.

Short-term workaround: If you can’t upgrade immediately, we recommend that you do the following as a workaround until an upgrade can be performed.

  1. Stop Confluence
  2. Add the following to your Java options: -Datlassian.confluence.export.word.max.embedded.images=0 system property to set the maximum number of images to include in Word exports to zero. This will prevent images from being embedded in Word exports.
  3. Restart Confluence

For more information and detailed instructions please consult the Atlassian Confluence Local File Disclosure announcement.

Need help with this?

Give us a call. As an Atlassian Platinum Solution Partner, we’re here to help you keep all your Atlassian products running smoothly.

References:
CVE Article