cv-announce-l@list.iu.edu
Subject: cv alerts list
List archive
- From: Andrew K Adams <akadams@psc.edu>
- To: cv-announce@trustedci.org
- Cc: "Andrew K. Adams" <akadams@psc.edu>, Terry Fleury <tfleury@illinois.edu>
- Subject: [cv-announce-l] Confluence WebDAV and Widget Connector Vulnerabilities
- Date: Thu, 11 Apr 2019 09:02:53 -0400
- Authentication-results: external-relay.iu.edu; spf=PermError smtp.pra=akadams@psc.edu; spf=SoftFail smtp.mailfrom=akadams@psc.edu; spf=None smtp.helo=postmaster@relay11.mail.gandi.net
- Ironport-phdr: 9a23:LJjQABy0iavFlOHXCy+O+j09IxM/srCxBDY+r6Qd2+0WIJqq85mqBkHD//Il1AaPAdyCrasVwLeG++C4ACpcuM7H6ChDOLV3FDY9wf0MmAIhBMPXQWbaF9XNKxIAIcJZSVV+9Gu6O0UGUOz3ZlnVv2HgpWVKQka3OgV6PPn6FZDPhMqrye+y54fTYwJVjzahfL9+Nhq7oRjMusUMnIdvLqk9xxvKr3BVf+ha2X5kKUickhrh+su85oJv/zhVt/k868NOTKL2crgiQ7dFFjomKWc15MPqtRnHUwSC42YXX3sVnBRVHQXL9Qn2UZjtvCT0sOp9wzSaMtbtTb8oQzSi7rxkRwHuhSwaKjM26mDXish3jKJGvBKsogF0zoDIbI2JMvd1Y7jQds0GS2VfQslRVjRBAoKiYIsJE+oBJvtTo43kq1cTsReyGQygCeXywTFKm3D2x7U33OshHw/I3wIuAswAv2jPodrvKKsfS/q4wLXUwTjBaf5dxDfz6JLPchAkufyBQbRwftfLyUYxGQLOk1CeopH5MjyIzOsNtnOb5PdnWO21iG4osRx+rSKqxsc3kYTJnpkVxUze+Spn3Yk1OMS1RUhmatCqF5tQsjuVN4pwQs46X2Foojs6yqYauZGlYScF1JUnywTYa/ydfIiE+gjsVPqVIThin3JlY7O/iAy08US61uL8Ucy03VBXpSRGitnBrm4B2wHR58SdSPZx4l2t1SuN2g3Q8O1IP045mbfDJ5I/3rI9koAfvEfDEyPshkn6ka2bel8r9+Wo7ensf6/oqYWGN4BujwHzKqQuldK7AeQ/KgUORXaU+eCm27zj4EH1Xa9GjvgsnanYtJDWP8sbqbS/AwBI04Yv8RC/ACm60NgAnHkHKkxKeA6fgoT3Jl3DIur0APWjj1i2jTtmxfPLMqf/DpjDM3TPiLLhcqx8605Yxgoz19df55dMB74bI/L8QFL+u8bdDh8iKAG02/3nB8ln2owARG2PH7eVMLnOvl+Q+uIvP+6MaZcJtzbjMvQq/fjujXk+mV8Ae6mmwYUYZGm8Hvl9J0WZYGHsgssbHWcLowoyVvLlh0CfUW0bW3HnVLx57zc9D5+gBorrWpqwm6CM0Cy6WJpMaTNoEFeJRF7ue5+JRL8vIAueK8p62mgNVrGtQoo6/Qm1v0n3x6cxfbmcwTERqZ+2jIs93ObUjxxnsGUsV57HgUiQU2F5mH8JTDYq3ad55HZw0UqHzbMh3q0KGMxP6ulPWwN/L5PYxv08Cs20Vw7cLZ+SUFjzeti8BBwrVNUri8QLf147A8+r2xnA1iajBqQ9j6eAQpE47/GUxGD/cv16xWro3aglx0IjXtMJMGSngqBl8A2GDo3An0ycjI6ybq9a0SLQpy+Y1WTbmkZeXUZrVLndG3ASYkyDtdPi+kbLVKOjE5w9Pw9I2JfbbK5Da9mvglxASPalPtnCOjjjoWq7CBeWy7/JV7LEJzpBjh3QEk0piRoU5z7GOBgiCz2nqmabFjFqHEOpYl6q/OVj+juwR0kyyB3CZEp7zbe+5hoE4J7UA/IVwr8eoD0st31vEVCx0sieAsecpwdnYKRXYM8sqFZB22XDsgVhP5umZ654gVtWfwNytkLonxJ5b+cI2cEppX8jyRFaMbmTll5NanLQ3Jz9PKHWNnin5AqmOObd3lDT1srT+79asq1n7Qq7+lj2Rgx4qCw0trsdm2GR7ZjLEgcIBJ/hTkst8RF+4qvXZiAsoYLJk3BgLPrR0HeK1tQ3Ce8i0hvlcc1YNfbOHQz7H8QfHOC2M+dsllS0JEFMLKVJ+ag4MtnzPfKF0aKiOf1IhCmty2lL/coutyDEvzo5QenO0ZEfxvie1QbSTDbwgmCqtcXvkJxFbzUfTSKvjDLpD4lLauhubJ4GXC2wdtavyI8439S+PhwQvE7mHV4N39WlPAaff0ColxMFzlwZ+zr/3jOixnRxg3kotvbNhXaehb2yLlxffDYMHTcH7x+kIJDo3YlLBg7xN1FvzUD0ox69nfQTpbwhfTOLGR4aIiWmfTMlCfHV1PLKYshE7I4kvHdgS/yyJ1+dTbH5rl0R1CarHm1VwC03emOn4JDw2Rp3lCqLJXJ35iODK/t9zhre+tHQAMVp8GZZHHtDjjfLKFG9O5Hp8MWImo3Fu+T7TW+lX4wVcDStwI+d5mO34mhjABv3mP7W+JWvGAsz3Sb+zPFyTi6OoRrhKojwn6W8OuZmeERkTEP7o8x9Bslyn5Axi5cZxXVS3MzKuyVf1z6sYZMBgvubDjJFTCVD29PP5Qn5xEBvZmmEwY70TDTVw8dsYcW7fnJD3ys8685QD6LHid4M1SBxo1e+sUfQea0nx2hblqNosSFKxbtS4Vll1CiWD7EMEFMNMDzwmg6O5tT7tqhTbXfpcKX22UZjzrXDRPmPpB9RXHHhd9IsByh1u492M1vA2Xjowpn/c5/dYc9Z5VWE1gzNieRYMsd7n/kDiSNiIkrlpnZjxuImx08Lv9nyrM2MLGNj+7i8CxhTO2juZs8dzTrqiL5Xgsec2438VoUkADgAW4HkCO65CD9H/+qyLB6ASXdvzxXTUaqaBwKU711q6m7CA4z+fW/CP2EXlJ1nVFGcPBAN2VpEGmxqxNhhUFjtnZKEEg8x5yhNtAep8F0VkrsubkKuFD+Y/lvgay9qGsLHdEMEswwStRWSapb7jKo7HidT+oCtoV66MXSVIQtPCm4NVwqPAFWrP7+l4cTM/rqVXO+3af3Dff2YoOhaHa7Sl6ii2YZn4TuAc/63ECI4VK8d3UxOFTB0C9jUgTMGT2kNmibEfoiauVGx9jAl5sa4uO/mXg7i/8OGFqdSPNNz+hu3nbbmVabYhSB3Lixd348NwnmAwaYW3VobgSVjPze3FrFIuSnIRaPW0qhZanxTIzt0L9dN5rkg0xNlI8Pfg8Ksj/h9h/8xTVhMU1Dg3MekeY1CIm2wMk/GGFfeNLmCIm6uoYm/aqe9RLtMyeRM4kfp5nDESwm6YWTFzWKwBFi1POpBjT+WJklTqJ2waBBkDS35Qdbve1u6LZl6gSBlpN98zn7MK2MYNiBxNk1XqbjFpypbi/l2Hndp9mFua+SIhmzKiouQYoZTqvZtDiluwqhC528mzrJO8CxebOZ4nCLD94coplinlq+AwzxrUVxIpyoB1+fp9Q1yfK7e8JdHQ3PN+hkAuH6RBxo9rNxgEtTzuqpUx4GSxpK2Ey9L9pfvxeVZB8XQL5jbYmAsNRP4QWeSCQIESXikPGfThgpbne3AriTE/Kh/kYDlnd81cpEeUVU0Ev0ADUE0TsQZK9F6Ui52yufH3v5N3mK3qVzqfOsfporOB6CKGv6pJTqE3+dJ
CI Operators:
Atlassian has issued a Critical Security Advisory [1] detailing vulnerabilities in Confluence Server and Confluence Data Center. Trusted CI is aware that this vulnerability is being actively exploited, causing impacts to NSF-funded projects/facilities.
Impact:
An attacker is able to exploit a server-side template injection vulnerability [2] to achieve path traversal and remote code execution. Default Confluence installations are known to be vulnerable.
Recommendation:
Update to the latest version of Confluence Server or Data Center [3] immediately. If you are unable to upgrade Confluence immediately, you can implement the following temporary workaround. Go to Settings > Manage apps/add-ons, select System, and disable both the WebDAV and Widget Connector plugins. After upgrading, you will need to manually re-enable these plugins.
Affected Confluence Server and Data Center versions:
* All 1.x.x, 2.x.x, 3.x.x, 4.x.x and 5.x.x versions
* All 6.0.x, 6.1.x, 6.2.x, 6.3.x, 6.4.x, and 6.5.x versions
* All 6.6.x versions before 6.6.12
* All 6.7.x, 6.8.x, 6.9.x, 6.10.x and 6.11.x versions
* All 6.12.x versions before 6.12.3
* All 6.13.x versions before 6.13.3
* All 6.14.x versions before 6.14.2
* Note that Confluence Cloud is NOT affected
References:
[1] https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html
[2] https://jira.atlassian.com/browse/CONFSERVER-57974
[3] https://www.atlassian.com/software/confluence/download
How Trusted CI can help:
The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI can not provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (http://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.- [cv-announce-l] Confluence WebDAV and Widget Connector Vulnerabilities, Andrew K Adams, 04/11/2019
Archive powered by MHonArc 2.6.24.