Vulnerability in Confluence version

documentation

(Andrew) #1

Hey, guys, I believe there is remote code execution vulnerability on your website: https://docs.sonarqube.org/pages/ and your bug reporting process is broken. I couldn’t find any contacts and had to register here only to find that new users aren’t allowed to create new threads either.

I don’t feel comfortable sharing that sort of information publicly, but I guess doing it on this forum is better than over Twitter.

Anyway, here it goes. Your website https://docs.sonarqube.org/pages/ uses outdated Confluence version (6.4.3) that is vulnerable to remote code execution. This flaw has been known since March and it is trivially exploited. Furthermore there is public exploit in a form of Metasploit module: https://github.com/rapid7/metasploit-framework/pull/11717 . I have information about these bugs being exploited in the wild and automated scanning has been happening for a few days now.

Please update your Confluence, check logs for indicators of compromise and establish clear guidelines for reporting security incidents so that next researcher does not have to drop zero days in your software on fucking Twitter.


Whole files considered new code in short-lived branch
(G Ann Campbell) #4

Hi,

Thanks for the report. We were already in the process of getting off of Confluence. This may speed things up. Anyway, we’ve triggered the correct internal notifications of your report.

You’re also right that we need a (better) vulnerability reporting process. Hopefully that will be in place soon too.

 
Ann

For posterity’s sake it should be noted that I split this into a new topic from the unrelated thread it was originally posted in.


(Eric Hartmann) #7

Thanks for the notification, counter measure to fix this vulnerability has been installed.