Changes to Confluence and Box for Improved Security
Related services: Box, Confluence
In order to address potential security issues, some changes are occurring with Cornell's Confluence Wiki and Box document collaboration services.
As a one-time clean-up effort, Box is changing the access of open shared links from "anyone with the link" to "anyone at Cornell" in cases where all three of the following are true:
- The link is open to anyone
- It is a custom link, not one of the Box random strings
- It has not been used in more than 30 days.
Box is taking this action to protect users who may have over-shared their information, after reports of people scanning for such open custom links. This operation will be performed by Box by the end of the week (April 1, 2019). If you have such a link that you intend to keep open, you should change it back after this week.
For more information about using shared links, see Cornell's Information about Box Shared Links and Box's shared link documentation.
On advisement of the vendor and the Cornell IT Security Office, the Confluence WebDAV client plugin and Widget Connector macro have been disabled due to a critical security risk in our current version.
We are unable to identify which spaces are using the WebDAV client plugin to access Confluence through a native client for performing bulk actions.
We have identified 218 pages across various spaces that are currently using the Widget Connector macro to embed online videos, slideshows, photo streams, or calendars in Confluence. If you think your Confluence space may be affected, you can confirm by using the Search Results for Widget Macro to identify pages affected by this change, if you have access to the impacted page.
You will no longer be able to view embedded content on pages that rely on the Widget Connector macro. The Source Editor can show the URL to directly access the content. As a workaround, you can include in your text a hyperlink to the URL in place of the widget.
Once the Confluence upgrade project that’s currently underway is complete, these add-ons will be re-enabled. The add-ons are delivered by the application and do not have an individual update or fix. The only options are upgrading the entire system or disabling the add-ons.
See technical details in the vendor's security advisory.