Highlighted

Unexpected Consequence of Confluence CVE

Hey all,

I have a question relating to the side-effects of the mitigation of this Confluence CVE. Specifically, the inability to see thumbnails of attached files after disabling the 'webDAV' plugin. This occurs when disabling webDAV also disables the 'Office Connector' plugin as a result. Office connector contains the modules which allow Confluence to display thumbnails on pages.

Which modules of office connector interact with the webDAV plugin?

If I were to enable the 'viewdoc', 'viewxls', 'viewppt', and 'viewpdf' modules and have the rest of the office connector modules disabled would this stop the vulnerability from affecting the Confluence instance while still allowing for thumbnails to be present?

2 comments

I think the short version of this question we are trying to answer, is,

Can we safely keep the 'viewdoc', 'viewxls', 'viewppt', and 'viewpdf' modules of the Office Connector system plugin enabled?

lauren Atlassian Team Apr 05, 2019

Hey @Patrick Peters [TechTime] and @Simon Merrick

Sorry for the delay here! Asking internally and will get back to you as soon as I can. 

Like Simon Merrick likes this

Thanks for your response Lauren, we are also currently following this thread on the partners portal.

There was a suggested workaround to programmatically replace all the Office Connector macros with the File Preview macro, but we are really looking to cause the least impact on the customers systems as this is all only temporary until the upgrade it completed.

lauren Atlassian Team Apr 08, 2019

Hey @Simon Merrick !

Firstly, we do recommend disabling the WebDAV plugin as a temporary measure only until you can complete an upgrade.

Disabling the WebDAV plugin will cause the “Edit in Office” button on attachment previews to stop functioning. It will also cause the following macros to stop working: viewdoc viewxls viewppt viewpdf. These macros should all be replaced with the File Preview macro. This can be done in bulk for your entire Confluence instance by following the SQL instructions on this KB article. It sounds like you might have read about this in the thread!

DO NOT re-enable the Office Connector plugin as this will also re-enable WebDAV. Re-enabling Office Connector will re-expose your instance to the vulnerability. Instead, bulk-migrate the office connector macros to the File Preview macro as described in the KB article.

cc @Eaniel Deads 

Daniel_Eads Atlassian Team Apr 08, 2019

Hey Simon,

Also wanted to add some additional context about the modules you mentioned. Because of the linked dependencies, you cannot safely re-enable the Office Connector plugin at all while keeping the WebDAV plugin disabled. As soon as you try to re-enable the Office Connector plugin to disable the other modules, the WebDAV plugin will be re-enabled as well. You will need to refresh the UPM to see this occur, but it cannot be safely done.

Thanks for the clarification Daniel and Lauren. For clarity, I created the configuration I was trying to describe in a local atlas-sdk instance.

Based on @Daniel_Eads response, though, I think we will put a rest to this line of questioning and focus on expediting the upgrade process for all of our customers.

Thanks for your help team.

Regards,
Simon

Screen Shot 2019-04-09 at 9.05.26 AM.pngScreen Shot 2019-04-09 at 9.06.39 AM.png

Comment

Log in or Sign up to comment