We have fixed a vulnerability in our version of an Xwork library which is also part of Apache Struts. Attackers can use this vulnerability to execute Java code of their choice on systems that use these frameworks. The attacker needs to be able to access the Confluence web interface. In cases when anonymous access is enabled, a valid user account is not required to exploit this vulnerability.

      We have discovered this vulnerability during our review of the recent Struts security advisories. This vulnerability is specific to Confluence.
      The vulnerability affects all versions of Confluence up to and including 5.5.1.

      For more information see the full advisory.

            [CONFSERVER-33515] ClassLoader Manipulation vulnerability

            Matt Ryall added a comment -

            As per CONF-33729, this issue wasn't completely resolved until Confluence 5.5.2.

            Matt Ryall added a comment - As per CONF-33729 , this issue wasn't completely resolved until Confluence 5.5.2.

            VitalyA added a comment - - edited

            These instructions are for versions 4.1 onwards. Versions before 4.2, including 4.1, are EOL.

            For Confluence 3.5 - 4.0 see CONF-33738.

            VitalyA added a comment - - edited These instructions are for versions 4.1 onwards. Versions before 4.2, including 4.1, are EOL. For Confluence 3.5 - 4.0 see CONF-33738 .

            Hi, for Confluence 3.5.17 I also needed to upgrade atlassian-xwork-10-1.12.jar to atlassian-xwork-10-1.13.jar.

            Jesse Lahtinen added a comment - Hi, for Confluence 3.5.17 I also needed to upgrade atlassian-xwork-10-1.12.jar to atlassian-xwork-10-1.13.jar.

            MattS added a comment - - edited

            https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2014-05-21 says that this same jar file can be used for Confluence 3.5 - 5.5.1, which is great.

            MattS added a comment - - edited https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2014-05-21 says that this same jar file can be used for Confluence 3.5 - 5.5.1, which is great.

            VitalyA added a comment - - edited

            This patch is for all non-EOL versions of Confluence, versions 4.2 and later.

            Patch instructions:

            1. Download the patch file attached above.
            MD5 (atlassian-xwork-core-1.17.jar) = 3e05c38578eec3583b9d5ef5e28fd058
            2. Shutdown Confluence.
            3. Move file <CONFLUENCE-INSTALL>/confluence/WEB-INF/lib/atlassian-xwork-core-x.x.jar to a location outside the <CONFLUENCE-INSTALL> folder.
            4. Add the downloaded atlassian-xwork-core-1.17.jar file to folder <CONFLUENCE-INSTALL>/confluence/WEB-INF/lib/.
            5. Start up Confluence again.

            To confirm that you have applied the patch successfully, check the version of the atlassian-xwork-core jar that has been loaded into Confluence as follows.

            1. Log in as administrator.
            2. Navigate to /admin/classpath.action URL on your instance and search for "/atlassian-xwork-core-".
            There should be a single hit: atlassian-xwork-core-1.17.jar . This confirms that the patch has been correctly applied.

            VitalyA added a comment - - edited This patch is for all non-EOL versions of Confluence, versions 4.2 and later. Patch instructions: 1. Download the patch file attached above . MD5 (atlassian-xwork-core-1.17.jar) = 3e05c38578eec3583b9d5ef5e28fd058 2. Shutdown Confluence. 3. Move file <CONFLUENCE-INSTALL>/confluence/WEB-INF/lib/atlassian-xwork-core-x.x.jar to a location outside the <CONFLUENCE-INSTALL> folder. 4. Add the downloaded atlassian-xwork-core-1.17.jar file to folder <CONFLUENCE-INSTALL>/confluence/WEB-INF/lib/. 5. Start up Confluence again. To confirm that you have applied the patch successfully, check the version of the atlassian-xwork-core jar that has been loaded into Confluence as follows. 1. Log in as administrator. 2. Navigate to /admin/classpath.action URL on your instance and search for "/atlassian-xwork-core-". There should be a single hit: atlassian-xwork-core-1.17.jar . This confirms that the patch has been correctly applied.

              Unassigned Unassigned
              vosipov VitalyA
              Affected customers:
              0 This affects my team
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: