We have fixed a vulnerability in our version of Xwork. In specific circumstances, attackers can use this vulnerability to execute Java code of their choice on systems that use these frameworks. The attacker needs to be able to access the Confluence web interface. A valid user account is not required to exploit this vulnerability.

      The vulnerability affects all versions of Confluence up to and including 5.1.4.

      No other Atlassian products are affected.

      For more information on this issue, including full instructions on patches and workarounds, please see the security advisory here.

      Our thanks to Reginaldo Silva who reported this vulnerability.

            [CONFSERVER-30221] OGNL double evaluation in atlassian-xwork

            Any advise how to test this vulnerability ?

            Broadsign Passport added a comment - Any advise how to test this vulnerability ?

            Is it true that Atlassian will not be re-releasing past editions of Confluence (on the downloads list at https://www.atlassian.com/software/confluence/download-archives) to incorporate such patches?

            If so, you might want to ensure that people attempting to install past versions (per https://jira.atlassian.com/browse/JRA-34196) are warned.

            Thx, M.

            Martin Cleaver added a comment - Is it true that Atlassian will not be re-releasing past editions of Confluence (on the downloads list at https://www.atlassian.com/software/confluence/download-archives ) to incorporate such patches? If so, you might want to ensure that people attempting to install past versions (per https://jira.atlassian.com/browse/JRA-34196 ) are warned. Thx, M.

            CharlesA added a comment -

            We strongly recommend you apply the countermeasures noted in the advisory even when anonymous access is not enabled, for the reasons Vitaly states above.

            CharlesA added a comment - We strongly recommend you apply the countermeasures noted in the advisory even when anonymous access is not enabled, for the reasons Vitaly states above .

            TechnicalS added a comment -

            Hi Carlos,

            we supposed the same and only updated one productive instance until now. I hope you´re right

            TechnicalS added a comment - Hi Carlos, we supposed the same and only updated one productive instance until now. I hope you´re right

            Q for Atlassian:

            Just to be certain: If anonymous access is off, and a hacker is at a login screen and doesn't manage to successfully log in, he can't exploit this vulnerability. Is that right?

            Thanks!

            Carlos Rivera added a comment - Q for Atlassian: Just to be certain: If anonymous access is off, and a hacker is at a login screen and doesn't manage to successfully log in, he can't exploit this vulnerability. Is that right? Thanks!

            VitalyA added a comment -

            By "patching" we mean "installing xwork jar manually".

            Version 5.1.5 is a normal release and does not have side effects described here and in CONF-30220.

            VitalyA added a comment - By "patching" we mean "installing xwork jar manually". Version 5.1.5 is a normal release and does not have side effects described here and in CONF-30220 .

            Hans-Peter Geier added a comment - - edited

            A question regarding the side effect. Does this effect hit only installations which replace the Xwork jar file manually , or does it also occur after installation of the latest patch? (5.1.5)
            In case the latter is also true, will this side effect eliminated with 5.2 (or which version?) )

            Hans-Peter Geier added a comment - - edited A question regarding the side effect. Does this effect hit only installations which replace the Xwork jar file manually , or does it also occur after installation of the latest patch? (5.1.5) In case the latter is also true, will this side effect eliminated with 5.2 (or which version?) )

            VitalyA added a comment -

            The patch and upgrade fix an underlying vulnerability that could be reached by a number of attack vectors.

            All attack vectors we found during an extensive investigation showed that either the attacker needs to be an authenticated user or the Confluence instance needs to have anonymous access 'can use' enabled. However, it is not absolutely impossible that there is another complex attack vector that bypasses this vulnerability.

            By upgrading or applying a patch you prevent any future exploits for the same vulnerability.

            VitalyA added a comment - The patch and upgrade fix an underlying vulnerability that could be reached by a number of attack vectors. All attack vectors we found during an extensive investigation showed that either the attacker needs to be an authenticated user or the Confluence instance needs to have anonymous access 'can use' enabled. However, it is not absolutely impossible that there is another complex attack vector that bypasses this vulnerability. By upgrading or applying a patch you prevent any future exploits for the same vulnerability.

            I also require an answer to the question @Jurriaan van Reijsen posed. We do not have anonymous access enabled on our Confluence installation (although our login page is available over the web). Does this mean this vulnerability would apply to us or not? Thanks!

            Kristyn Souder added a comment - I also require an answer to the question @Jurriaan van Reijsen posed. We do not have anonymous access enabled on our Confluence installation (although our login page is available over the web). Does this mean this vulnerability would apply to us or not? Thanks!

            Hi,

            A quick question about this vurnerability:

            1. The text in this ticket says: A valid user account is not required to exploit this vulnerability
            2. The text in the security advisory says: In cases when anonymous access is enabled, a valid user account is not required to exploit this vulnerability

            Which one of both cases is true? This may render the vurnerability true or false for many instances out there.

            Deleted Account (Inactive) added a comment - Hi, A quick question about this vurnerability: The text in this ticket says: A valid user account is not required to exploit this vulnerability The text in the security advisory says: In cases when anonymous access is enabled , a valid user account is not required to exploit this vulnerability Which one of both cases is true? This may render the vurnerability true or false for many instances out there.

              Unassigned Unassigned
              vosipov VitalyA
              Affected customers:
              0 This affects my team
              Watchers:
              17 Start watching this issue

                Created:
                Updated:
                Resolved: