Sorry for my ignorance but where is this change made at? We are also not able to upgrade just yet.

For anyone else with this issue, I have put a apache config change in place to block access, from our access logs i don't see other requests that use the decoratorName query string.

        # CVE-2015-8399 2016-08-16
        RewriteCond %{QUERY_STRING} decoratorName(=|%3D).* [NC]
        RewriteRule ^(.*)$ - [F,L]

Minh,

Thanks for responding, I am working on upgrading to 5.9, but cannot do so immediately and this needs to be fixed on my side quickly. Confluence 5.9 has a significant problem with content indexing CONF-41030, and all our plugins will have to be tested against it after upgrading the DB. Can you provide a short-term workaround?

Thanks,

-chuck

Dear chuck.solie175462723,

This bug is already fixed against versions 5.7.6, 5.8.17, 5.9.1. Please upgrade your Confluence to have the fix

Best regards,
Minh Tran
Confluence BugMaster
Atlassian

Hi,

I'm puzzled by the first workaround. It says "Do not run Confluence as root/administrator. We always recommend creating a dedicated user account to run Atlassian products. You can limit the impact of this bug by restricting what the app user account can access."

I am running confluence as a non privileged user (tomcat), and see this vulnerability on both authenticated and anonymous requests.

For those that can not immediately upgrade, can you provide a implementable workaround?

1) What are appropriate ownership and permissions for the confluence/WEB-INF/classes/ files as they have to be readable by tomcat.

2) What specific URI patterns should be blocked on the proxy / front end?

Thanks!

The description says "allowing any authenticated user to read configuration files from the application such as the content of webapp directory in confluence."

This seems to be misleading, at least in the case of Confluence 5.5.7. We have a Confluence instance that is configured to permit anonymous access, and even unauthenticated users can access private content using the format "http://<server>/spaces/viewdefaultdecorator.action?decoratorName=<FILE>".

I see that this issue has a label "CVE-2015-8399". That CVE is reserved but has no content:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8399

Atlassian, should you not now be updating that CVE? For completeness....

Dear All,

For anyone is using Confluence version 5.7.x, please upgrade to 5.7.6 to have this fix
If you have any kind of questions, please let me know

Best regards,
Minh Tran
Confluence BugMaster
Atlassian

Dear ddvandenberg1559344819,

This issue is included in https://confluence.atlassian.com/display/DOC/Confluence+5.8.17+Release+Notes not in 5.8.14
So please upgrade it to 5.8.17 to have the fix

Best regards,
Minh Tran
Confluence BugMaster
Atlassian

But it's still not a answer to my question? Why is this didn't add to the release notes?