Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-57974

Remote code execution via Widget Connector macro - CVE-2019-3396

      There was a server-side template injection vulnerability in Confluence Server and Data Center, in the Widget Connector. An attacker is able to exploit this issue to achieve path traversal and remote code execution on systems that run a vulnerable version of Confluence Server or Data Center.

       

      Affected versions:

      All versions of Confluence Server and Confluence Data Center before version 6.6.12, from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x) and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x).

       

      Fix:

       

      For additional details, see the full advisory: https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+-+2019-03-20

       

          Form Name

            [CONFSERVER-57974] Remote code execution via Widget Connector macro - CVE-2019-3396

            Quan Pham added a comment -

            A fix for this issue is available to Server and Data Center customers in Confluence 6.10.3
            Upgrade now or check out the Release Notes to see what other issues are resolved.

            If you're running the Confluence 6.6 Enterprise release, a fix for this issue is now available in Confluence 6.6.14, which you can find in the Download Archives.

            If you're running the Confluence 6.13 Enterprise release, a fix for this issue is now available in Confluence 6.13.5, which you can find in the Download Archives.

            Quan Pham added a comment - A fix for this issue is available to Server and Data Center customers in Confluence 6.10.3 Upgrade now or check out the Release Notes to see what other issues are resolved. If you're running the Confluence 6.6 Enterprise release, a fix for this issue is now available in Confluence 6.6.14, which you can find in the Download Archives . If you're running the Confluence 6.13 Enterprise release, a fix for this issue is now available in Confluence 6.13.5, which you can find in the Download Archives .

            >  Hi, as i understand this vulnerability is fixed for those using cloud version of confluence?
             

            Hi rabia.tahir, yes this issue has been fixed in Atlassian Confluence Cloud.

            David Black added a comment - >  Hi, as i understand this vulnerability is fixed for those using cloud version of confluence?   Hi rabia.tahir , yes this issue has been fixed in Atlassian Confluence Cloud.

            Hi, as i understand this vulnerability is fixed for those using cloud version of confluence?

            Rabia Tahir added a comment - Hi, as i understand this vulnerability is fixed for those using cloud version of confluence?

            Florian,
            I'm not sure if it's correct to provide links to exploits/PoC here, but here you can find more specific information:

            Alternatively, you can look up PoC code for CVE-2019-3396 in Github.

            Oleksiy Brushkovskyy added a comment - Florian, I'm not sure if it's correct to provide links to exploits/PoC here, but here you can find more specific information: https://paper.seebug.org/886/ https://github.com/Yt1g3r/CVE-2019-3396_EXP Last one helped me to understand the mechanism of attack and ensure that the vulnerability is fixed in our Confluence. Alternatively, you can look up PoC code for CVE-2019-3396 in Github.

            Hi Oleksiy,

            Can you be more specifc on how we can determine if this vulnerability has been exploited on our Confluence instance? Is there commands we could run or particular pattern in logs we should check?

            Thank you

            AdminIT Account added a comment - Hi Oleksiy, Can you be more specifc on how we can determine if this vulnerability has been exploited on our Confluence instance? Is there commands we could run or particular pattern in logs we should check? Thank you

            Apogee Administrator,

            Any widget macro with _template parameter specified in your Confluence content.
            Normally, _template shouldn't be used directly in macro parameters, since this is some artifact of server-side code, not used by iframe.
            Further investigation of Velocity code pointed by _template will let you know the exact URL patterns of attacker requests that can be found in access log.

            Oleksiy Brushkovskyy added a comment - Apogee Administrator, Any widget macro with _template parameter specified in your Confluence content. Normally, _template shouldn't be used directly in macro parameters, since this is some artifact of server-side code, not used by iframe. Further investigation of Velocity code pointed by _template will let you know the exact URL patterns of attacker requests that can be found in access log.

            Is there a pointer somewhere to info on how to determine if this exploit is being targeted on a particular system?

            Apogee Research added a comment - Is there a pointer somewhere to info on how to determine if this exploit is being targeted on a particular system?

            Hi eva.dezsi,
            Yes it is.

            David Black added a comment - Hi eva.dezsi , Yes it is.

            Eva Dezsi added a comment -

            Is it safe to upgrade to 6.15.3?

            Thank you

            Eva Dezsi added a comment - Is it safe to upgrade to 6.15.3? Thank you

            Hi, Arianne, there was another advisory after the fix to this Widget Connector advisory was released. Check this out: https://confluence.atlassian.com/doc/confluence-security-advisory-2019-04-17-968660855.html
            6.12.4 contains the fix for this second advisory^ so it might be worth upgrading again!

            Andrew Zimmerman added a comment - Hi, Arianne, there was another advisory after the fix to this Widget Connector advisory was released. Check this out:  https://confluence.atlassian.com/doc/confluence-security-advisory-2019-04-17-968660855.html 6.12.4 contains the fix for this second advisory^ so it might be worth upgrading again!

              dluong Duy Truong Luong
              security-metrics-bot Security Metrics Bot
              Affected customers:
              0 This affects my team
              Watchers:
              35 Start watching this issue

                Created:
                Updated:
                Resolved: