-
Bug
-
Resolution: Fixed
-
Highest
-
6.6.0, 6.7.0, 6.8.0, 6.9.0, 6.10.0, 6.11.0, 6.12.0, 6.13.0, 6.14.0, 6.14.1
-
Severity 1 - Critical
-
There was a server-side template injection vulnerability in Confluence Server and Data Center, in the Widget Connector. An attacker is able to exploit this issue to achieve path traversal and remote code execution on systems that run a vulnerable version of Confluence Server or Data Center.
Affected versions:
All versions of Confluence Server and Confluence Data Center before version 6.6.12, from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x) and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x).
Fix:
- Confluence Server version 6.15.1 is available for download from https://www.atlassian.com/software/confluence/download.
- Confluence Server version 6.14.2 is available for download from https://www.atlassian.com/software/confluence/download-archives.
- Confluence Server version 6.13.3 is available for download from https://www.atlassian.com/software/confluence/download-archives.
- Confluence Server version 6.12.3 is available for download from https://www.atlassian.com/software/confluence/download-archives.
- Confluence Server version 6.6.12 is available for download from https://www.atlassian.com/software/confluence/download-archives.
For additional details, see the full advisory: https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+-+2019-03-20
![[Atlassian Documentation] Page](https://confluence.atlassian.com/images/icons/favicon.png "[Atlassian Documentation] Page"){kind=icon}
[CONFSERVER-57974] Remote code execution via Widget Connector macro - CVE-2019-3396
> Hi, as i understand this vulnerability is fixed for those using cloud version of confluence?
Hi rabia.tahir, yes this issue has been fixed in Atlassian Confluence Cloud.
Hi, as i understand this vulnerability is fixed for those using cloud version of confluence?
Florian,
I'm not sure if it's correct to provide links to exploits/PoC here, but here you can find more specific information:
- https://paper.seebug.org/886/
- https://github.com/Yt1g3r/CVE-2019-3396_EXP
Last one helped me to understand the mechanism of attack and ensure that the vulnerability is fixed in our Confluence.
Alternatively, you can look up PoC code for CVE-2019-3396 in Github.
Hi Oleksiy,
Can you be more specifc on how we can determine if this vulnerability has been exploited on our Confluence instance? Is there commands we could run or particular pattern in logs we should check?
Thank you
Apogee Administrator,
Any widget macro with _template parameter specified in your Confluence content.
Normally, _template shouldn't be used directly in macro parameters, since this is some artifact of server-side code, not used by iframe.
Further investigation of Velocity code pointed by _template will let you know the exact URL patterns of attacker requests that can be found in access log.
Is there a pointer somewhere to info on how to determine if this exploit is being targeted on a particular system?
Hi, Arianne, there was another advisory after the fix to this Widget Connector advisory was released. Check this out: https://confluence.atlassian.com/doc/confluence-security-advisory-2019-04-17-968660855.html
6.12.4 contains the fix for this second advisory^ so it might be worth upgrading again!
I just upgraded my confluence to version 6.12.3, the security advisory say's that the fixed version is 6.12.4 but in the release notes for 6.12.3 say that this issue is fixed on this version. I want to know if the version 6.12.3 is really fixed as said on the release notes or if I need to upgrade to 6.12.4.
Arianne de Paula Bortolan
added a comment - - edited I just upgraded my confluence to version 6.12.3, the security advisory say's that the fixed version is 6.12.4 but in the release notes for 6.12.3 say that this issue is fixed on this version. I want to know if the version 6.12.3 is really fixed as said on the release notes or if I need to upgrade to 6.12.4. We've recently upgraded to version 6.11.2. It contains Widget Connector version 3.1.2.
Isn't it enough to take Widget Connector plugin version 3.1.4 from the nearest fixed Confluence version 6.12.3 and install it manually into 6.11.2?
Looks like it works perfectly in our test environment.
Is this vulnerability of Widget Connector plugin or the whole Confluence application?
Hi chris-f.ravenscroft396756154, correct we support enterprise releases with fixes for 2 years.
You can read more about enterprise releases here https://confluence.atlassian.com/enterprise/atlassian-enterprise-releases-948227420.html.
Yes, thanks Brendan. I already disabled both plug-ins. How long is "long term?" 2 years?
Hi chris-f.ravenscroft396756154,
The https://www.atlassian.com/trust/security/bug-fix-policy contains details of which older versions we release with fixes for critical security issues. Our policy is to release a new bugfix version for any major feature version released in the past 6 months. We also backport the fixes to our current long term supported "enterprise releases" which at this point in time is 6.6 and 6.13. 5.5 falls outside this range so unfortunately we will not be able to provide a patch for that version.
If you look under the "mitigation" section in the security advisory page https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html you will see details of a workaround you can plan until you get a chance to implement an upgrade.
We are currently under attack and running 5.5.3.
Can you confirm your policy to not patch older versions?
Is there a workaround we can apply?
Thanks
I have just checked Confluence version 5.9.4 and Confluence version 6.10.2. Unfortunately, both of them are affected. We suggest you to upgrade your Confluence instances to nearest version which has a fix. So your Confluence 5.9.4 would need to be upgraded to Confluence 6.6.12 and Confluence 6.10.2 would need to be upgraded to Confluence 6.12.3 (or maybe better to upgrade to Confluence 6.13.3, because 6.6 and 6.13 are our Enterprise Release).
Thanks and Regards
Hi,
I have two confluence instance and one is unsupported in version 5.9.4. The supported one is in 6.10.2.
I would like to be sure that they are both impacted by this bug as it's not crystal clear for me if versions before 6.0 are affected. (i have to be 100% certain since it will be a big bother to me for the instance that is not supported anymore......)
Can you confirm that both 5.9.4 and 6.10.2 are affected ?
Regards
Hi, is upgrading the widget connector plugin to the latest 3.1.4 version enough to fix this vulnerability?
Thanks,
Jesse Lahtinen
Polar Shift Ltd.
@Boris Berenberg: According to this disabling is a mitigation: https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html#ConfluenceSecurityAdvisory-2019-03-20-Mitigation
Can the Widget Connector Macro plugin be disabled as a workaround?
A fix for this issue is available to Server and Data Center customers in Confluence 6.12.3
Upgrade now or check out the Release Notes to see what other issues are resolved.
A fix for this issue is available to Server and Data Center customers in Confluence 6.13.3
Upgrade now or check out the Release Notes to see what other issues are resolved.
If you're running the Confluence 6.6 Enterprise release, a fix for this issue is now available in Confluence 6.6.12, which you can find in the Download Archives.
A fix for this issue is available to Server and Data Center customers in Confluence 6.14.2
Upgrade now or check out the Release Notes to see what other issues are resolved.
This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 10.0 => Critical severity
Exploitability Metrics
| Attack Vector | Network |
|---|---|
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
Scope Metric
| Scope | Changed |
|---|
Impact Metrics
| Confidentiality | High |
|---|---|
| Integrity | High |
| Availability | High |
See http://go.atlassian.com/cvss for more details.
https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
A fix for this issue is available to Server and Data Center customers in Confluence 6.10.3
Upgrade now or check out the Release Notes to see what other issues are resolved.
If you're running the Confluence 6.6 Enterprise release, a fix for this issue is now available in Confluence 6.6.14, which you can find in the Download Archives.
If you're running the Confluence 6.13 Enterprise release, a fix for this issue is now available in Confluence 6.13.5, which you can find in the Download Archives.