Uploaded image for project: 'Confluence Cloud'
  1. Confluence Cloud
  2. CONFCLOUD-73215

Upgrade XWork to a version with blocklist

    XMLWordPrintable

Details

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

    Description

      Issue Summary

      Webwork/XWork has seen quite a few RCEs in recent past, we have improved velocity/XStream in terms of security. Its time to tighten the ratchet also on Webwork.

      As a dev, I would like to see Webwork security at par of Strut's current standards. This means it will involve looking at Strut's closed security issues and assess them against webwork.

      Confluence Cloud can pick up a new version of XWork(1.0.3-atlassian-8) and Webwork(2.1.5-atlassian-4) to bring this blocklist feature in.

      Please follow this page to see the steps to bring this security feature in: https://hello.atlassian.net/wiki/spaces/~ggautam/blog/2021/10/21/1373912668/Being+proactive+in+guarding+Confluence+DC+Cloud+OGNL+edition#Action-for-Confluence-Cloud

      Steps to Reproduce

      N/A

      Expected Results

      Webwork is secure from future RCEs

      Actual Results

      RCE is there. See https://stash.atlassian.com/projects/CONFSERVER/repos/confluence/pull-requests/13684/overview

      Workaround

      Don't use AST velocity references to userDirectives like #tag or #bodytag

      Attachments

        Issue Links

          relates to

          VULN-568631 Loading...

          Activity

            People

              Unassigned Unassigned
              ggautam Ganesh Gautam
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated: