Confluence SSRF and Remote Code Execution Vulnerability Handling Guide

Confluence SSRF and Remote Code Execution Vulnerability Handling Guide

April 22, 2019 | Mina Hao

1 Vulnerability Overview

Recently, Atlassian officially released a security bulletin, announcing a server-side request forgery (SSRF) vulnerability and a remote code execution vulnerability (CVE-2019-3396). The two vulnerabilities respectively reside in WebDAV and Widget Connector and could be exploited by an attacker for remote code execution and server-side request forgery.

  • CVE-2019-3395 WebDAV

Confluence Server and Data Center versions released before June 18, 2018 are vulnerable to this issue. This vulnerability exists in the WebDAV plug-in, which allows an attacker to implement server-side request forgery by sending arbitrary HTTP or WebDAV requests from a Confluence Server or Data Center.

V6.8.5 and V6.9.3 are officially released to fix this vulnerability.

  • CVE-2019-3396 Widget Connector

This vulnerability is a server-side template injection vulnerability which exists in the Widget Connector plug-in in the Confluence Server and Data Center. An attacker could exploit this vulnerability for directory traversal and remote code execution.

V6.12.3, V6.13.3, and 6.14.2 are officially released to fix this vulnerability.

Currently, the PoC of this vulnerability is publicly available. The following screenshot shows the vulnerability exploitation success.

Reference link:

https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html

2 Scope of Impact

Affected Versions

  • Confluence 1.*.*, 2.*.*, 3.*.*, 4.*.*, 5.*.*
  • Confluence 6.0.*, 6.1.*, 6.2.*, 6.3.*, 6.4.*, 6.5.*
  • Confluence 6.6.* < 6.6.12
  • Confluence 6.7.*, 6.8.*, 6.9.*, 6.10.*, 6.11.*
  • Confluence 6.12.* < 6.12.3
  • Confluence 6.13.* < 6.13.3
  • Confluence 6.14.* < 6.14.2

Unaffected Versions

  • Confluence >= 6.6.12
  • Confluence >= 6.12.3
  • Confluence >= 6.13.3
  • Confluence >= 6.14.2
  • Confluence 6.15.1

The vendor has indicated that Confluence Cloud is not affected by the two vulnerabilities in question.

3 Check for the Vulnerability

Users can click  and select About Confluence to check the current version of Confluence to determine whether it is affected.

4 Recommended Mitigation Measures

4.1 Official Upgrade

The vendor advises users to upgrade Confluence to the latest version V6.15.1 by downloading and installing patches from the following links to ensure the security and stability of this service.

https://www.atlassian.com/software/confluence/download/

https://atlassian.com/software/confluence/download/data-center

If the service cannot be upgraded to the latest version, users can upgrade it to a version that has the vulnerabilities fixed, by reference to the following table:

Vulnerable Version Version with the Vulnerabilities Fixed
6.12.0, 6.12.1, 6.12.2 6.12.3
6.14.0, 6.14.1 6.14.2
6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11 6.6.12
6.13.0, 6.13.1, 6.13.2 6.13.3
Other earlier versions 6.14.2, 6.13.3, or 6.6.12

4.2 Upgrading the Widget Connector Plug-in to a Secure Version

Users can fix the vulnerability (CVE-2019-3396) by replacing widgetconnector-*.jar with widgetconnector-3.1.4.jar. The detailed procedure is as follows:

  1. Locate the widgetconnector-*.jar file. For the Linux system, you can run the following command to search for this file:

  1. Replace the current widgetconnector-*.jar file with the secure version (widgetconnector-3.1.4.jar) by downloading the secure file from the following link:

https://packages.atlassian.com/maven-public/com/atlassian/confluence/extra/widgetconnector/widgetconnector/3.1.4/widgetconnector-3.1.4.jar

  1. Restart the service to complete the remediation.

4.3 Disabling Insecure Plug-ins

If it is impossible to upgrade Confluence immediately, users can choose  > Manage apps/add-ons and select System to disable the following plug-ins:

  • WebDAV plug-in
  • Widget Connector

Notes:

  • If the Widget Connector plug-in is disabled, the Widget Connector macro will be unavailable and users will be shown an “unknown plug-in” error. This macro is used to display contents from YouTube, Vimeo, and Twitter.
  • If the WebDAV plug-in is disabled, users will not be able to connect to Confluence by using a WebDAV client. Also, disabling this plug-in causes the Office Connector plug-in to be disabled.

After the upgrade is completed, you need to enable the following plug-ins manually:

  • WebDAV plug-in
  • Widget Connector
  • Office Connector.

Appendix

  • Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

  • About NSFOCUS

NSFOCUS IB is a wholly owned subsidiary of NSFOCUS, an enterprise application and network security provider, with operations in the Americas, Europe, the Middle East, Southeast Asia and Japan. NSFOCUS IB has a proven track record of combatting the increasingly complex cyber threat landscape through the construction and implementation of multi-layered defense systems. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide unified, multi-layer protection from advanced cyber threats.

For more information about NSFOCUS, please visit:

https://www.nsfocusglobal.com

NSFOCUS, NSFOCUS IB, and NSFOCUS, INC. are trademarks or registered trademarks of NSFOCUS, Inc. All other names and trademarks are property of their respective firms.