Atlassian warns of critical security vulnerability

By on
Atlassian warns of critical security vulnerability

Atlassian has revealed a critical security issue in Confluence server.

An advisory (sign-in required) issued at 3:00AM Thursday, Australian time, offered the following explanation of the flaw:

“Confluence Server and Data Center had a local file disclosure vulnerability in the page export function. A remote attacker who has Add Page space permission would be able to read arbitrary files in the <install-directory>/confluence/WEB-INF directory, which may contain configuration files used for integrating with other services, potentially leaking credentials, such as LDAP credentials, or other sensitive information. The potential to leak LDAP credentials exists if LDAP credentials are specified in an atlassian-user.xml file, which is a deprecated method for configuring LDAP integration.”

All versions of Confluence Server and Confluence Data Center from 6.1.0 before 6.6.16 (the fixed version for 6.6.x), from 6.7.0 before 6.13.7 (the fixed version for 6.13.x), and from 6.14.0 before 6.15.8 (the fixed version for 6.15.x) are affected by this vulnerability.

Atlassian has released version 6.15.8 of Confluence Server to fix the problem, and recommends a swift upgrade. Version 6.15 Release Notes are already available and the new version can be found here.

Users of the Enterprise release of Confluence Server have a different upgrade path, to version 6.16.6 or 6.13.7.

And there’s another option for those who can’t upgrade, in the form of a workaround that uses the atlassian.confluence.export.word.max.embedded.images system property to set the maximum number of images to include in Word exports to zero. This will prevent images from being embedded in Word exports.

The advisory is just the eighth that Atlassian has issued this year. The company had just eight in all of 2018, a low number compared to plenty of other vendors.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © CRN Australia. All rights reserved.
Tags:

Most Read Articles

You must be a registered member of CRN to post a comment.
| Register

Poll

Disties and vendors are pushing their financial services. Are you biting?
Yes - to move away from banks!
Yes - to spread risk
Yes - dipping toes in the water
Not yet - but we like the look of it
No - looked at it and decided not to
No - it's just not right for us
View poll archive

Log In

Username / Email:
Password:
  |  Forgot your password?