Atlassian have recently announced a security vulnerability that affects Confluence Server and Data Center products. If you use this product, see below for steps to address this vulnerability.
Atlassian rates the severity level of this vulnerability as critical, according to the scale published at Atlassian severity levels.
This is their assessment and you should evaluate its applicability to your own IT environment.
Confluence Server and Data Center had a local file disclosure vulnerability in the page export function. A remote attacker who has Add Page space permission would be able to read arbitrary files in the <install-directory>/confluence/WEB-INF directory, which may contain configuration files used for integrating with other services, potentially leaking credentials, such as LDAP credentials, or other sensitive information. The potential to leak LDAP credentials exists if LDAP credentials are specified in an atlassian-user.xml file, which is a deprecated method for configuring LDAP integration.
To determine the impact of this vulnerability, please check your <install-directory>/confluence/WEB-INF directory and its subdirectories (especially /classes/) for any files that contain LDAP or Crowd credentials (crowd.properties, atlassian-user.xml), or files that contain any other sensitive data that an administrator may have put in this directory. If nothing is found, this vulnerability is not immediately exploitable.
If credentials are found in these directories, you should cycle the passwords.
Atlassian recommends that you upgrade to the latest version (6.15.8). For a full description of the latest version of Confluence Server or Confluence Data Center, see the 6.15.8 Release Notes. You can download the latest version of Confluence Server or Confluence Data Center from the Atlassian website and find our Confluence installation and upgrade guide here.
(1) If you have a current enterprise release version (an enterprise release version released on 28th August 2017 or later), upgrade to the latest version of your enterprise release version.
If you have enterprise release version...
then upgrade to version:
6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 6.6.13, 6.6.14, 6.6.15
6.13.0, 6.13.1, 6.13.2, 6.13.3, 6.13.4, 6.13.5, 6.13.6
(2) If you have an older version (a feature version released before 28th February 2019, or an enterprise release version released before 28th August 2017), either upgrade to the latest version of Confluence Server or Data Center, or to the latest version of an enterprise release version.
If you are running Confluence 6.10 because you are unable to upgrade to a later version due to compatibility issues with Companion App (which replaced Edit in Office), upgrade to either 6.15.8 or 6.13.7(Enterprise Release) and follow the steps in our documentation to enable the legacy Edit in Office feature.
If you are unable to upgrade Confluence immediately or are in the process of migrating to Confluence Cloud, then as a temporary workaround you can use the atlassian.confluence.export.word.max.embedded.images to set the maximum number of images to include in Word exports to zero. This will prevent images from being embedded in Word exports.
How you apply the system property depends on how you run Confluence.
Open Command Prompt and cd to the <install-directory>\bin directory
Run the following command, where "SERVICENAME" is your service name.
Note that the Tomcat version may be different in your version of Confluence. You can check the name of your Tomcat file in the <install-directory>/bin (it will be either tomcat8w.exe, or tomcat9w.exe)
In theJava Optionsfield, add the following on a new line:
See for more detailed information on how to pass this system property.
In the block the configures the CATALINA_OPTS variable, add the following line:
In the block the configures the CATALINA_OPTS variable, add thefollowingline: