Unexpected Consequence of Confluence CVE

Deleted user April 2, 2019

Hey all,

I have a question relating to the side-effects of the mitigation of this Confluence CVE. Specifically, the inability to see thumbnails of attached files after disabling the 'webDAV' plugin. This occurs when disabling webDAV also disables the 'Office Connector' plugin as a result. Office connector contains the modules which allow Confluence to display thumbnails on pages.

Which modules of office connector interact with the webDAV plugin?

If I were to enable the 'viewdoc', 'viewxls', 'viewppt', and 'viewpdf' modules and have the rest of the office connector modules disabled would this stop the vulnerability from affecting the Confluence instance while still allowing for thumbnails to be present?

2 comments

Comment

Log in or Sign up to comment
Simon Merrick April 2, 2019

I think the short version of this question we are trying to answer, is,

Can we safely keep the 'viewdoc', 'viewxls', 'viewppt', and 'viewpdf' modules of the Office Connector system plugin enabled?

lauren
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 5, 2019

Hey @[deleted] and @Simon Merrick

Sorry for the delay here! Asking internally and will get back to you as soon as I can. 

Like Simon Merrick likes this
Simon Merrick April 5, 2019

Thanks for your response Lauren, we are also currently following this thread on the partners portal.

There was a suggested workaround to programmatically replace all the Office Connector macros with the File Preview macro, but we are really looking to cause the least impact on the customers systems as this is all only temporary until the upgrade it completed.

lauren
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 8, 2019

Hey @Simon Merrick !

Firstly, we do recommend disabling the WebDAV plugin as a temporary measure only until you can complete an upgrade.

Disabling the WebDAV plugin will cause the “Edit in Office” button on attachment previews to stop functioning. It will also cause the following macros to stop working: viewdoc viewxls viewppt viewpdf. These macros should all be replaced with the File Preview macro. This can be done in bulk for your entire Confluence instance by following the SQL instructions on this KB article. It sounds like you might have read about this in the thread!

DO NOT re-enable the Office Connector plugin as this will also re-enable WebDAV. Re-enabling Office Connector will re-expose your instance to the vulnerability. Instead, bulk-migrate the office connector macros to the File Preview macro as described in the KB article.

cc @Eaniel Deads 

Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 8, 2019

Hey Simon,

Also wanted to add some additional context about the modules you mentioned. Because of the linked dependencies, you cannot safely re-enable the Office Connector plugin at all while keeping the WebDAV plugin disabled. As soon as you try to re-enable the Office Connector plugin to disable the other modules, the WebDAV plugin will be re-enabled as well. You will need to refresh the UPM to see this occur, but it cannot be safely done.

Simon Merrick April 8, 2019

Thanks for the clarification Daniel and Lauren. For clarity, I created the configuration I was trying to describe in a local atlas-sdk instance.

Based on @Daniel Eads response, though, I think we will put a rest to this line of questioning and focus on expediting the upgrade process for all of our customers.

Thanks for your help team.

Regards,
Simon

Screen Shot 2019-04-09 at 9.05.26 AM.pngScreen Shot 2019-04-09 at 9.06.39 AM.png

TAGS
AUG Leaders

Atlassian Community Events