Lockpoint Security Notice 2013-04-02
Notice Date: April 2, 2013
Overview
Arsenale is advising customers of the release of a critical-rated security patch for Arsenale Lockpoint for Confluence.
The latest version of Arsenale Lockpoint (v1.4.3) and all subsequent releases contain a fix for this vulnerability. All prior versions of Lockpoint are vulnerable.
This vulnerability could allow remote code execution (with the privileges of the Confluence process) by a user who is authorized to view Confluence pages. This includes anonymous users, if your installation permits anonymous access.
We recommend all Arsenale Lockpoint customers upgrade the product as soon as possible.
Upgrading
If your Arsenale Lockpoint maintenance is currently valid, simply upgrade to the latest version of Lockpoint from Atlassian Marketplace, or use the in-application Confluence plugin manager to do the same.
If your maintenance agreement is expired, you may still be eligible to upgrade to a patched release, as described below. In this case, please use the links below to download the appropriate version of Lockpoint for your Confluence instance, and then upload the JAR to your Confluence installation.
To determine your maintenance status, log into Confluence as an administrator and select Browse->Confluence Admin->Arsenale Lockpoint. Under "License Status", the field "Support and Upgrades Provided Until" will display your current maintenance status for the product.
If your Arsenale Lockpoint maintenance period is currently VALID:
- if using Confluence 3.5 or higher, upgrade to the most current available Lockpoint version (1.4.3 or higher)
- if using Confluence 3.1 through 3.4, upgrade to Lockpoint 1.3.0.1
If your Arsenale Lockpoint maintenance period is EXPIRED:
You may upgrade to any of the versions indicated below if you meet the listed criteria:
- if your Arsenale Lockpoint maintenance expired on or after 2013-03-09:
- if using Confluence 3.5 or higher, upgrade to Lockpoint 1.4.3
- if using Confluence 3.1 through 3.4, upgrade to Lockpoint 1.3.0.1
- if your Arsenale Lockpoint maintenance expired between 2012-09-29 and 2013-03-08:
- if using Confluence 4.3, upgrade to Lockpoint 1.3.4.1
- if using Confluence 3.1 through 4.2, upgrade to Lockpoint 1.3.0.1
- if your Arsenale Lockpoint maintenance expired between 2012-04-19 and 2012-09-28:
- if using Confluence 3.1 through 4.2, upgrade to Lockpoint 1.3.0.1
- if your Arsenale Lockpoint maintenance expired before 2012-04-19, or if your configuration is not listed above:
- you will need to purchase a new or renewal Arsenale Lockpoint license and upgrade Lockpoint to the most recent version compatible with your Confluence installation
Questions
If you have any questions, please contact Cenote Support.