[CONFSERVER-58070] Disabling WebDAV add-on will disable Office connector add-on.

Type: Suggestion
Resolution: Handled by Support
Fix Version/s: None
Component/s: Integrations - Office Connector
Labels:
None

UIS:
2
Feedback Policy:

We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

Issue Summary

Due to a security advisory it is required to disable WebDAV add-on in case if the instance cannot be upgraded. During the disabling, the Office Connector add-on will also be disabled (viewxls macro will not work) as this is linked requirement of WebDAV add-on. Enabling Office Connector will also enable WebDAV add-on.

Please let us know if it is possible to get patched version of Office Connector add-on, or if they are linked and can not be fixed separately.

is caused by

CONFSERVER-57971 SSRF via WebDAV endpoint - CVE-2019-3395

Closed

Form Name

Branno (Inactive) added a comment - 26/Mar/2019 11:33 PM

Howdy All,

We wanted to reach out on this suggestion to re-iterate the official Atlassian recommendations to mitigate the risks of CVE-2019-3395/6.

Upgrade Confluence to an unaffected version

Atlassian has released a fix for these vulnerabilities and has backported these fixes to several versions. Download and upgrade to one of the following versions of Confluence:

6.6.12
6.12.3
6.13.3
6.14.2
Any 6.15.x version

Temporary workaround

If you are unable to upgrade Confluence immediately, then as a temporary workaround disable the affected system plugins:

Go to > Manage Apps (or add-ons)
Disable the following system plugins:
- WebDAV plugin
- Widget Connector

Ensure these plugins are re-enabled once Confluence is upgraded to an unaffected version

We understand that disabling the WebDAV and Widget Connector plugins can be disruptive but it is only recommended as a temporary measure until an upgrade to an unaffected version can be performed.

If you have any issues with upgrading Confluence or implementing the workaround, any questions about the vulnerabilities, or any concerns please contact Atlassian Support.

Branno (Inactive) added a comment - 26/Mar/2019 11:33 PM Howdy All, We wanted to reach out on this suggestion to re-iterate the official Atlassian recommendations to mitigate the risks of CVE-2019-3395/6. Upgrade Confluence to an unaffected version Atlassian has released a fix for these vulnerabilities and has backported these fixes to several versions. Download and upgrade to one of the following versions of Confluence: 6.6.12 6.12.3 6.13.3 6.14.2 Any 6.15.x version Temporary workaround If you are unable to upgrade Confluence immediately, then as a temporary workaround disable the affected system plugins: Go to > Manage Apps (or add-ons) Disable the following system plugins: WebDAV plugin Widget Connector Ensure these plugins are re-enabled once Confluence is upgraded to an unaffected version We understand that disabling the WebDAV and Widget Connector plugins can be disruptive but it is only recommended as a temporary measure until an upgrade to an unaffected version can be performed. If you have any issues with upgrading Confluence or implementing the workaround, any questions about the vulnerabilities, or any concerns please contact Atlassian Support .

Scott Dudley [Cenote] added a comment - 25/Mar/2019 2:36 PM

Although I don't work for Atlassian, my understanding is that WebDAV is the technical underpinning of the Edit in Office feature. Even if you were to find a way to enable the Office Connector plugin without the WebDAV plugin, I suspect the Edit in Office button would be broken.

Scott Dudley [Cenote] added a comment - 25/Mar/2019 2:36 PM Although I don't work for Atlassian, my understanding is that WebDAV is the technical underpinning of the Edit in Office feature. Even if you were to find a way to enable the Office Connector plugin without the WebDAV plugin, I suspect the Edit in Office button would be broken.

Deleted Account (Inactive) added a comment - 25/Mar/2019 2:24 PM

Hi ,

We have a multi Tenant platform we can not upgrade the confluence in short notice . Could you please provide me the permanent fix for the issue . Also i tried temporary work around , but this is not going to help me as if I enable Office Connector then WebDAV plugin is automatically enabled . We are not suppose to enable the WebDAV plugin due to security reasons .

Thanks,
Nidhi

Deleted Account (Inactive) added a comment - 25/Mar/2019 2:24 PM Hi , We have a multi Tenant platform we can not upgrade the confluence in short notice . Could you please provide me the permanent fix for the issue . Also i tried temporary work around , but this is not going to help me as if I enable Office Connector then WebDAV plugin is automatically enabled . We are not suppose to enable the WebDAV plugin due to security reasons . Thanks, Nidhi

Details

Description

Issue Summary

Attachments

Issue Links

Forms

Activity

Collapse comment: Branno (Inactive) added a comment - 26/Mar/2019 11:33 PM

Upgrade Confluence to an unaffected version

Temporary workaround

Expand comment: Branno (Inactive) added a comment - 26/Mar/2019 11:33 PM

Collapse comment: Scott Dudley [Cenote] added a comment - 25/Mar/2019 2:36 PM

Expand comment: Scott Dudley [Cenote] added a comment - 25/Mar/2019 2:36 PM

Collapse comment: Deleted Account (Inactive) added a comment - 25/Mar/2019 2:24 PM

Expand comment: Deleted Account (Inactive) added a comment - 25/Mar/2019 2:24 PM

People

Dates