SECURITY
SECURITY
SECURITY
Update now: Atlassian discloses critical vulnerability in Confluence Server
Atlassian Corp. Plc Wednesday warned customers of its popular Confluence collaboration software program to urgently update their installations following the discovery of a critical vulnerability that can allow an attacker to gain access and steal data.
The security advisory affects all versions of Confluence Server and Confluence Data Center from 6.1.0 before 6.6.16, 6.7.0 before 6.13.7 and from 6.14.0 before 6.15.8.
CVE-2019-3394, as it’s called, is described as a file disclosure vulnerability in the page export function. “A remote attacker who has Add Page space permission would be able to read arbitrary files in the /confluence/WEB-INF directory, which may contain configuration files used for integrating with other services, potentially leaking credentials, such as LDAP credentials, or other sensitive information,” the advisory reads.
Atlassian has release version 6.15.8 of Confluence Server to fix the problem and strongly recommended customers upgrade now.
Given that the vulnerability affects versions of Confluence Server that may not be easily upgraded, Atlassian has recommend a temporary workaround that can help address the vulnerability.
“As a temporary workaround you can use the atlassian.confluence.export.word.max.embedded.images system property to set the maximum number of images to include in Word exports to zero,” the advisory notes. “This will prevent images from being embedded in Word exports.”
Atlassian has released eight security updates in 2019, but this is the most significant security warning from the company since a critical vulnerability discovered in April 2017.
The vulnerability disclosure comes as Atlassian, Australia’s most successful tech startup gone public, goes from strength to strength.
In its latest quarterly earnings, the company beat market expectations with earnings of 20 cents per share, up 43% from the same quarter in 2018 on revenue of $334.6 million, up 36%. Atlassian said it expected to book full-year revenue of more than $1 billion for the first time ever.
In achieving success, Atlassian’s founders Mike Cannon-Brookes and Scott Farquhar are among Australia’s richest people, ranking fifth in the country behind mining, property and shopping center magnates.
Photo: Atlassian
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
