Confluence Server and Confluence Data Center - Local File Disclosure （CVE-2019-3394）

### **Local File Disclosure - CVE-2019-3394** #### **Severity** Atlassian rates the severity level of this vulnerability as **critical**, according to the scale published in [our Atlassian severity levels](https://www.atlassian.com/security/security-severity-levels). The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. #### **Description** Confluence Server and Data Center had a local file disclosure vulnerability in the page export function. A remote attacker who has **Add Page** space permission would be able to read arbitrary files in the **<install-directory>/confluence/WEB-INF** directory, which may contain configuration files used for integrating with other services, potentially leaking credentials, such as LDAP credentials, or other sensitive information. The potential to leak LDAP credentials exists if LDAP credentials are specified in an `atlassian-user.xml` file, which is a deprecated method for configuring LDAP integration. To determine the impact of this vulnerability, please check your **<install-directory>/confluence/WEB-INF** directory and its subdirectories (especially `/classes/`) for any files that contain LDAP or Crowd credentials ( `crowd.properties`, `atlassian-user.xml`), or files that contain any other sensitive data that an administrator may have put in this directory. If nothing is found, this vulnerability is not immediately exploitable. If credentials are found in these directories, you should cycle the passwords. All versions of Confluence Server and Confluence Data Center from 6.1.0 before 6.6.16 (the fixed version for 6.6.x), from 6.7.0 before 6.13.7 (the fixed version for 6.13.x), and from 6.14.0 before 6.15.8 (the fixed version for 6.15.x) are affected by this vulnerability. This issue can be tracked here: [CONFSERVER-58734](https://jira.atlassian.com/browse/CONFSERVER-58734) - Local File Disclosure via Word Export in Confluence Server - CVE-2019-3394 CLOSED #### Acknowledgements We would like to acknowledge "Magic Ice Cream Shop" for finding this vulnerability. ### **Fix** We have taken the following steps to address this issue: - Released Confluence Server and Data Center version 6.15.8 that contains a fix for this issue, and can be be downloaded from [https://www.atlassian.com/software/confluence/download/](https://www.atlassian.com/software/confluence/download). - Released Confluence Server and Data Center versions 6.6.16 and 6.13.7 that contains a fix for this issue, and can be be downloaded from <https://www.atlassian.com/software/confluence/download-archives>. ### **What You Need to Do** Atlassian recommends that you upgrade to the latest version (6.15.8). For a full description of the latest version of Confluence Server, see the [6.15 Release Notes](https://confluence.atlassian.com/doc/confluence-6-15-release-notes-965554120.html). You can download the latest version of Confluence Server from the Atlassian [website](https://www.atlassian.com/software/confluence/download) and find our [Confluence installation and upgrade guide here](https://confluence.atlassian.com/doc/confluence-installation-and-upgrade-guide-214864161.html). #### **If you cannot upgrade Confluence Server or Confluence Data Center to version 6.15.8 or higher:** (1) If you have a current **Enterprise Release version** (an Enterprise Release version released on 28th August 2017 or later), upgrade to the **latest version of your Enterprise Release version**. | If you have Enterprise Release version... | then upgrade to version: | | ------------------------------------------------------------ | ------------------------ | | 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 6.6.13, 6.6.14, 6.6.15 | 6.6.16 | | 6.13.0, 6.13.1, 6.13.2, 6.13.3, 6.13.4, 6.13.5, 6.13.6 | 6.13.7 | (2) If you have an **older version** (a feature version released before 28th February 2019, or an Enterprise Release version released before 28th August 2017), either upgrade to the **latest version of Confluence Server or Data Center**, or to the **latest version of an Enterprise Release version**. If you are running Confluence 6.10 because you are unable to upgrade to a later version due to compatibility issues with Companion App (which replaced Edit in Office), upgrade to **either** **6.15.8**or **6.13.7** (Enterprise Release) and follow the steps in our documentation to [enable the legacy Edit in Office feature](https://confluence.atlassian.com/conf615/administering-the-atlassian-companion-app-967338693.html). #### **Mitigation** If you are unable to upgrade Confluence immediately or are in the process of [migrating to Confluence Cloud](https://www.atlassian.com/cloud-migration), then as a **temporary workaround** you can use the **atlassian.confluence.export.word.max.embedded.images** [system property](https://confluence.atlassian.com/doc/configuring-system-properties-168002854.html) to set the maximum number of images to include in Word exports to zero. This will prevent images from being embedded in Word exports. How you apply the system property depends on how you run Confluence. Run Confluence as a Windows service... - [Run Confluence as a Windows service...]([Run Confluence as a Windows service...](https://confluence.atlassian.com/doc/confluence-security-advisory-2019-08-28-976161720.html#)) - [Start Confluence on Windows manually...](https://confluence.atlassian.com/doc/confluence-security-advisory-2019-08-28-976161720.html#) - [Start Confluence on Linux manually...](https://confluence.atlassian.com/doc/confluence-security-advisory-2019-08-28-976161720.html#) See [Configuring System Properties](https://confluence.atlassian.com/doc/configuring-system-properties-168002854.html) for more detailed information on how to pass this system property when running Confluence in AWS using our Quick Start templates, or as a Windows service. To verify that the workaround was applied correctly: 1. Create a page with an image. 2. Export the page to word. 3. Verify that the image is not embedded in the exported file. ### **Support** If you did not receive an email for this advisory and you wish to receive such emails in the future go to <https://my.atlassian.com/email> and subscribe to Alerts emails. If you have questions or concerns regarding this advisory, please raise a support request at <https://support.atlassian.com/>. ### **References** | [Security Bug fix Policy](https://www.atlassian.com/security/secpol) | As per our new policy critical security bug fixes will be back ported in accordance with <https://www.atlassian.com/trust/security/bug-fix-policy>. We will release new maintenance releases for the versions covered by the policy instead of binary patches.**Binary patches are no longer released.** | | ------------------------------------------------------------ | ------------------------------------------------------------ | | [Severity Levels for security issues](https://www.atlassian.com/security/security-severity-levels) | Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at [FIRST.org](https://www.first.org/cvss/user-guide). | | [End of Life Policy](https://confluence.atlassian.com/support/atlassian-support-end-of-life-policy-201851003.html) | Our end of life policy varies for different products. Please refer to our EOL Policy for details. |