Atlassian Corp. Plc Wednesday warned customers of its popular Confluence collaboration software program to urgently update their installations following the discovery of a critical vulnerability that can allow an attacker to gain access and steal data.
The security advisory affects all versions of Confluence Server and Confluence Data Center from 6.1.0 before 6.6.16, 6.7.0 before 6.13.7 and from 6.14.0 before 6.15.8.
CVE-2019-3394, as it’s called, is described as a file disclosure vulnerability in the page export function. “A remote attacker who has Add Page space permission would be able to read arbitrary files in the /confluence/WEB-INF directory, which may contain configuration files used for integrating with other services, potentially leaking credentials, such as LDAP credentials, or other sensitive information,” the advisory reads.
Atlassian has release version 6.15.8 of Confluence Server to fix the problem and strongly recommended customers upgrade now.
Given that the vulnerability affects versions of Confluence Server that may not be easily upgraded, Atlassian has recommend a temporary workaround that can help address the vulnerability.
“As a temporary workaround you can use the atlassian.confluence.export.word.max.embedded.images system property to set the maximum number of images to include in Word exports to zero,” the advisory notes. “This will prevent images from being embedded in Word exports.”
Atlassian has released eight security updates in 2019, but this is the most significant security warning from the company since a critical vulnerability discovered in April 2017.
The vulnerability disclosure comes as Atlassian, Australia’s most successful tech startup gone public, goes from strength to strength.
In its latest quarterly earnings, the company beat market expectations with earnings of 20 cents per share, up 43% from the same quarter in 2018 on revenue of $334.6 million, up 36%. Atlassian said it expected to book full-year revenue of more than $1 billion for the first time ever.
In achieving success, Atlassian’s founders Mike Cannon-Brookes and Scott Farquhar are among Australia’s richest people, ranking fifth in the country behind mining, property and shopping center magnates.