-
Bug
-
Resolution: Fixed
-
Highest
-
2.7, 2.8, 2.9, 2.10, 3.0, 3.1, 3.2, 3.3, 3.4
We have identified and fixed a cross-site scripting (XSS) vulnerability in the Confluence {code} macro.
XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:
- cgisecurity.com: http://www.cgisecurity.com/articles/xss-faq.shtml
- The Web Application Security Consortium: http://projects.webappsec.org/Cross-Site+Scripting
This issue is reported in our security advisory on this page:
http://confluence.atlassian.com/x/HgdrDQ
[CONFSERVER-21098] XSS vulnerability in Code macro
01.06.2011 12:39:59 org.apache.catalina.core.StandardContext start SCHWERWIEGEND: Error listenerStart 01.06.2011 12:39:59 org.apache.catalina.core.StandardContext start SCHWERWIEGEND: Context [] startup failed due to previous errors log4j:ERROR LogMananger.repositorySelector was null likely due to error in class reloading, using NOPLoggerRepository. 01.06.2011 12:39:59 org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-8080 01.06.2011 12:39:59 org.apache.catalina.startup.Catalina start INFO: Server startup in 13969 ms Exception in thread "HSQLDB Timer @315068" java.lang.NullPointerException at org.hsqldb.lib.HsqlTimer.nextTask(Unknown Source) at org.hsqldb.lib.HsqlTimer$TaskRunner.run(Unknown Source) at java.lang.Thread.run(Thread.java:662)
Hi,
I'm running a local instance of confluence version 3.2.1 on my computer just to check plugins etc. before installing them onto my company's system.
I replaced
CONFLUENCE_INSTALL_DIR/confluence/WEB-INF/lib/atlassian-renderer-6.0.3.jar
with the attached patch-version 6.0.6 and run the tomcat server a new.
But instead of a working confluence instance, i got the error-message posted on top of this post.
Has anyone an idea, what went wrong?
Is the patch-version 6.0.6 really working as described above?
If so, are there any other steps to follow?
Thx for help and support,
Cheers,
Christopher
Christopher Jaksch
added a comment - - edited
01.06.2011 12:39:59 org.apache.catalina.core.StandardContext start
SCHWERWIEGEND: Error listenerStart
01.06.2011 12:39:59 org.apache.catalina.core.StandardContext start
SCHWERWIEGEND: Context [] startup failed due to previous errors
log4j:ERROR LogMananger.repositorySelector was null likely due to error in class reloading, using NOPLoggerRepository.
01.06.2011 12:39:59 org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-8080
01.06.2011 12:39:59 org.apache.catalina.startup.Catalina start
INFO: Server startup in 13969 ms
Exception in thread "HSQLDB Timer @315068" java.lang.NullPointerException
at org.hsqldb.lib.HsqlTimer.nextTask(Unknown Source)
at org.hsqldb.lib.HsqlTimer$TaskRunner.run(Unknown Source)
at java.lang. Thread .run( Thread .java:662)
Hi,
I'm running a local instance of confluence version 3.2.1 on my computer just to check plugins etc. before installing them onto my company's system.
I replaced
CONFLUENCE_INSTALL_DIR/confluence/WEB-INF/lib/atlassian-renderer-6.0.3.jar
with the attached patch-version 6.0.6 and run the tomcat server a new.
But instead of a working confluence instance, i got the error-message posted on top of this post.
Has anyone an idea, what went wrong?
Is the patch-version 6.0.6 really working as described above?
If so, are there any other steps to follow?
Thx for help and support,
Cheers,
Christopher Dave (and other users of 3.2.x),
The atlassian-renderer0-6.0.6.jar should work with 3.x-3.3.x. The second patch is for use with 3.4.0 specifically as the fix was included in 3.4.1.
Cheers,
Adam Laskowski
Atlassian Support
Please note that we have released multiple advisories about Confluence 3.2 or later, the earliest advisory - http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2010-05-04. We recommend that you review them and decide whether you can upgrade to a more recent version of the product or apply external security controls if you cannot. Most of the vulnerabilities are not critical and often present less risk when used in a corporate environment with no access from the Internet.
We usually provide patches only for critical severity (= really bad) vulnerabilities as a stop-gap measure until you can upgrade, and you should not expect that you can continue patching your system instead of upgrading. Our patches are often non-cumulative - we do not recommend that you apply multiple patches from different advisories on top of each other, but strongly recommend to upgrade to the most recent version regularly.
Customers running Confluence 3.3.x:
Please replace the following jar file with the updated atlassian-renderer-6.0.6.jar
:
CONFLUENCE_INSTALL_DIR/confluence/WEB-INF/lib/atlassian-renderer-6.0.5.jar
Attached version 6.2 of Atlassian renderer that fixes the issue in the code macro.
Christopher, you're probably best to raise a ticket with Atlassian Support. Your logs above don't contain the relevant error information, and debugging your problem here is not going to be possible. Our support team will be able to help you get this patch installed if you need it.