Hi Atlassian Community
You all would've seen the article relating to the zero-day bug identified in the Atlassian Companion app: https://www.theregister.co.uk/2019/12/05/atlassian_zero_day_bug/
Does anybody know when we can expect the bug identified to be patched and an updated version of the Atlassian Companion App be ready for download?
Our organisation is currently using the app and although our Confluence is hosted on our intranet only, our IT Risk department still sees this as a dangerous vulnerability that needs to be addressed.
The only alternative is to discontinue the use of the app and revert to the darkfeature, to enable customers to edit their office documents.
Thank you for contacting us about this. This depends on your current Confluence version. If you are on a version prior to 6.11, then you are not affected.
For the following versions, you'd be able to switch to the original Edit in Office functionality:
6.13.6 - 6.13.8
6.15.6 - 6.15.9
7.1.0 and later
If you are on one of those versions, the steps to enable this feature (see Enable Edit in Office as a dark feature in Confluence) are as follows:
Do note, Edit in Office does not support the editing of all file types supported by the Companion App. Users will, however, be able to edit Microsoft Office documents. Additionally, Edit in Office will only work in the following environments:
Chrome (only in Windows 10 and Office 2016 or later)
Firefox (only in versions 55.x and 56.x)
Internet Explorer 11
If you are not on one of the versions listed above, then you will want to disable the Companion App for now while we work on the fix.
To disable the Companion App:
Once these modules are disabled, users will no longer have the ability to start editing a Confluence attachment directly from the UI. They would need to manually download any attachments, edit them locally, and manually upload them back into Confluence via its UI.
If you have any questions about these workarounds, please let me know.
I will follow-up with you here as soon as we have a fix released for this.
Thank you for your understanding!
We have another workaround at this time that could work for you. That is that you see if you can update to the the latest version of the Confluence Previews plugin. This may fix the problem for some users.
To manually upgrade the Confluence Previews system app:
Download the appropriate version of the Confluence Previews plugin for your version of Confluence from the table above.
Go to COG > Manage apps.
Choose Upload and follow the prompts to manually install the plugin.
See Installing Marketplace apps: Installing by file upload for more information.
The following plugin versions have been released:
Confluence 7.1.x confluence-previews-9.1.5
Confluence 7.0.x confluence-previews-9.0.4
Confluence 6.15.x confluence-previews-8.2.2
Confluence 6.14.x confluence-previews-8.0.7
Confluence 6.13.x (Enterprise release) confluence-previews-7.0.19
May work with 6.12.x (untested)
May work with 6.11.x (known issue - the progress bar for upload/download via Companion doesn’t work)
Let me know if you have any questions about that!
The impact was to Cloud and DC/Server, but the fix was pushed out to Cloud shortly after the vulnerability was discovered.
My instructions apply only to Server and Data Center sites at this time. More information on that can be found below:
Thank you for the follow-up! By design, when Companion App is not able to make a secure connection, it will automatically default to an insecure connection directly to localhost.
Safari, Edge, IE 11, and some other browsers won't allow this connection due to mixed-content issues (i.e., an insecure connection made from a page being served securely). Firefox and Chrome allow mixed-content connections via localhost, and therefore aren't affected.
I hope this answers your question!
I would recommend for this issue, you raise a support ticket if you are able, or a new question here on Community.
Thanks everyone for answering last week’s question. The winner of the random drawing from those who commented is: @LarryBrock I’ll contact you separately with your prize details. This wee...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events