Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Atlassian Companion App Zero-Day Bug Patching

Deon Petrus Meyer
Deon Petrus Meyer December 5, 2019

Hi Atlassian Community

You all would've seen the article relating to the zero-day bug identified in the Atlassian Companion app: https://www.theregister.co.uk/2019/12/05/atlassian_zero_day_bug/

Does anybody know when we can expect the bug identified to be patched and an updated version of the Atlassian Companion App be ready for download?

Our organisation is currently using the app and although our Confluence is hosted on our intranet only, our IT Risk department still sees this as a dangerous vulnerability that needs to be addressed.

The only alternative is to discontinue the use of the app and revert to the darkfeature, to enable customers to edit their office documents. 

Answer
Watch
Like Be the first to like this
1634 views

1 answer

1 accepted

0 votes
Answer accepted
Shannon S
Shannon S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 6, 2019

Hello @Deon Petrus Meyer,

Thank you for contacting us about this. This depends on your current Confluence version. If you are on a version prior to 6.11, then you are not affected.

For the following versions, you'd be able to switch to the original Edit in Office functionality:

  • 6.13.6 - 6.13.8

  • 6.15.6 - 6.15.9

  • 7.1.0 and later

If you are on one of those versions, the steps to enable this feature (see Enable Edit in Office as a dark feature in Confluence) are as follows:

  1. Go to <confluence-url>/admin/darkfeatures.action.
  2. Add the enable.legacy.edit.in.office dark feature flag.
  3. Select Submit

Do note, Edit in Office does not support the editing of all file types supported by the Companion App. Users will, however, be able to edit Microsoft Office documents. Additionally, Edit in Office will only work in the following environments:

  • OS: Windows

  • Browsers:

    • Chrome (only in Windows 10 and Office 2016 or later)

    • Firefox (only in versions 55.x and 56.x)

    • Internet Explorer 11

If you are not on one of the versions listed above, then you will want to disable the Companion App for now while we work on the fix.

To disable the Companion App:

  1. Click Settings > Manage Apps
  2. Select System from the dropdown
  3. Search for Confluence Previews
  4. Click the + next to 28 of 28 modules enabled 
  5. Disable the following modules:
    1. ADCClient AMD Wrapper (companion-client-wrapper)
      • This is the only mandatory module to disable the Companion App. The rest remove UI elements that display 'Edit with' to avoid confusion
    2. Edit With button (companion-plugin-button)
    3. Templates for Edit With feature (companion-plugin-templates)
    4. Companion CSS resources (companion-plugin-css)
    5. Edit With plugin for the Media Viewer (companion-plugin)
    6. Embedded 'Edit With' button (embedded-edit)

Once these modules are disabled, users will no longer have the ability to start editing a Confluence attachment directly from the UI. They would need to manually download any attachments, edit them locally, and manually upload them back into Confluence via its UI.

If you have any questions about these workarounds, please let me know. 

I will follow-up with you here as soon as we have a fix released for this.

Thank you for your understanding!

Regards,

Shannon

View More Comments
Shannon S
Shannon S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 9, 2019

Hello @Deon Petrus Meyer,

We have another workaround at this time that could work for you. That is that you see if you can update to the the latest version of the Confluence Previews plugin. This may fix the problem for some users.

To manually upgrade the Confluence Previews system app:

  1. Download the appropriate version of the Confluence Previews plugin for your version of Confluence from the table above.

  2. Go to COG > Manage apps.

  3. Choose Upload and follow the prompts to manually install the plugin.

See Installing Marketplace apps: Installing by file upload for more information.

The following plugin versions have been released:

Let me know if you have any questions about that!

Regards,

Shannon 

Like
Deon Petrus Meyer
Deon Petrus Meyer December 9, 2019

tnx @Shannon S 

I'll check it out. 

Like
Shaun Alsobrook
Shaun Alsobrook December 12, 2019

@Shannon SWith the Cloud version of Confluence, the versioning does not seem to be the same as the above, what should we do as a workaround?  Also, where is the status for the fix being tracked so we can monitor?  Thanks, Shaun

Like Darryl St_ Pierre likes this
Darryl St_ Pierre
Darryl St_ Pierre
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 12, 2019

Apparently the question is whether or not this impacts Cloud, or only Server...

Like
Shaun Alsobrook
Shaun Alsobrook December 12, 2019

Very true.  Good way of restating it.

Like
Shannon S
Shannon S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 13, 2019

Hello @Shaun Alsobrook,

The impact was to Cloud and DC/Server, but the fix was pushed out to Cloud shortly after the vulnerability was discovered.

My instructions apply only to Server and Data Center sites at this time. More information on that can be found below:

Regards,

Shannon

Like John Gooch likes this
Heikki Harsunen
Heikki Harsunen
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
December 13, 2019

From that linked page

This problem does not affect people using Chrome or Firefox 56 or later.

Are you sure Google and Mozilla won't push revocation to modern browsers? Have you made arrangement with them not to push their CRLsets?

 

Like
Anh Le
Anh Le
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
December 19, 2019

Hi,

I have updated Confluence-previews as advised but the edit with MS-office stop working after that.

"Some of the content could not be read, do you want to reset it?" 

- Confluence 6.14.x confluence-previews-8.0.7

 

Brs,

Le Anh Dung

Like
Shannon S
Shannon S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 30, 2019

@Heikki Harsunen,

Thank you for the follow-up!  By design, when Companion App is not able to make a secure connection, it will automatically default to an insecure connection directly to localhost.

Safari, Edge, IE 11, and some other browsers won't allow this connection due to mixed-content issues (i.e., an insecure connection made from a page being served securely). Firefox and Chrome allow mixed-content connections via localhost, and therefore aren't affected.

I hope this answers your question!

@Anh Le,

I would recommend for this issue, you raise a support ticket if you are able, or a new question here on Community.

Regards,

Shannon 

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.