Missed Team ’24? Catch up on announcements here.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Latest security vulnerability

Dave Drexler
Dave Drexler September 10, 2012

Hi - regarding https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-09-11

It's not practical for us to upgrade our site at this time, but a patch has not been produced for this issue. What are our options to mitigate the problem?

Answer
Watch
Like Nic Brough -Adaptavist- likes this
1048 views

3 answers

0 votes
LuizA
LuizA
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 17, 2013

Hello Julie,

Yes, it is vulnerable, as explained in the security advisory, this vulnerability affects all versions of Confluence earlier than 4.1.8 and it has been fixed in Confluence 4.1.9 and later.

Regarding the 3.5.x, the latest version would be the 3.5.17 version and if you're planning to upgrade your instance we would suggest you to upgrade to a more recent version (4.3.x).

Hope this helps.

Kind Regards,

LJ.

Reply
0 votes
Sameera Shaakun2
Sameera Shaakunthala [inactive]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 17, 2013

Appreciate if you could tag your questions. :)

Reply
0 votes
JohnA
JohnA
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 10, 2012

Hi Dave,

We only release patches for Critical security issues, but this one has only been designated as High risk so there isn't a patch released with this security advisory. I also see that there doesn't appear to be any suggestions for mitigate this issue, but the XSS issues affect cookies so I believe that this vulnerability goes to the core of the application and therefore the only mitigation is to upgrade. Of course if your Confluence isn't exposed to the internet then you are at less risk of malicious attack, but the XSS issue would still remain a threat to people who have access to the network. Although I think the best way of mitigating the threat from XSS attacks is to understand how they work, as this is always the easiest to prevent attacks: http://www.cgisecurity.com/articles/xss-faq.shtml

All the best,
John

View More Comments
jmpetersen
jmpetersen
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
September 10, 2012

Is Confluence 3.5.16 vulnerable? If so, will there be a new 3.5.x release?

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events