This morning, a critical severity security vulnerability advisory was issued detailing susceptibilities in Confluence Server and Data Center versions.  Please read the below summary regarding the vulnerabilities as well as what to do if your current Confluence version is affected.

August 2019 Confluence Server advisory – Local File Disclosure Vulnerability – CVE-2019-3394

Summary of Vulnerability

This advisory discloses a critical severity security vulnerability which was introduced in version 6.1.0 of Confluence Server and Confluence Data Center. Versions of Confluence Server and Confluence Data Center starting with 6.1.0 before 6.6.16 (the fixed version for 6.6.x), from 6.7.0 before 6.13.7 (the fixed version for 6.13.x), and from 6.14.0 before 6.15.8 (the fixed version for 6.15.x) are affected by this vulnerability. Atlassian Cloud instances are not affected by the issue described on this page. Customers who have upgraded Confluence Server or Confluence Data Center to version 6.6.16, 6.13.7 or 6.15.8 are not affected. Customers who have downloaded and installed the following versions of Confluence Server or Data Center are affected:

All 6.1.x versions
All 6.2.x versions
All 6.3.x versions
All 6.4.x versions
All 6.5.x versions
All 6.6.x versions before 6.6.16 (the fixed version for 6.6.x)
All 6.7.x versions
All 6.8.x versions
All 6.9.x versions
All 6.10.x versions
All 6.11.x versions
All 6.12.x versions
All 6.13.x versions before 6.13.7 (the fixed version for 6.13.x)
All 6.14.x versions
All 6.15.x versions before 6.15.8 (the fixed version for 6.15.x)

Please upgrade your Confluence Server and Confluence Data Center installations immediately to fix this vulnerability.

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. This is our assessment and you should evaluate its applicability to your own IT environment.

What You Need to Do
Atlassian recommends that you upgrade to the latest version (6.14.2). For a full description of the latest version of Confluence Server, see the release notes. You can download the latest version of Confluence Server from the Atlassian website.

Temporary workaround

  1. Stop Confluence.
  2. Edit the <install-directory>/bin/setenv.sh file.
  3. In the block the configures the CATALINA_OPTS variable, add the following line: CATALINA_OPTS=”-Datlassian.confluence.export.word.max.embedded.images=0 ${CATALINA_OPTS}”
  4. Save the file and restart Confluence.


Upgrading Confluence
Atlassian recommends that you upgrade to the latest version (6.15.8).

If you need any assistance with the upgrade or applying the workaround, contact us at: Support@blendedperspectives.com.
If you are Blended Perspectives hosting client, we have notified and applied the workaround already, those are some of the benefits of hosting with us.

Happy coding.
Blended Perspectives