Notice Date: April 2, 2013
Arsenale is advising customers of the release of a critical-rated security patch for Arsenale Lockpoint for Confluence.
The latest version of Arsenale Lockpoint (v1.4.3) and all subsequent releases contain a fix for this vulnerability. All prior versions of Lockpoint are vulnerable.
This vulnerability could allow remote code execution (with the privileges of the Confluence process) by a user who is authorized to view Confluence pages. This includes anonymous users, if your installation permits anonymous access.
We recommend all Arsenale Lockpoint customers upgrade the product as soon as possible.
If your Arsenale Lockpoint maintenance is currently valid, simply upgrade to the latest version of Lockpoint from Atlassian Marketplace, or use the in-application Confluence plugin manager to do the same.
If your maintenance agreement is expired, you may still be eligible to upgrade to a patched release, as described below. In this case, please use the links below to download the appropriate version of Lockpoint for your Confluence instance, and then upload the JAR to your Confluence installation.
To determine your maintenance status, log into Confluence as an administrator and select Browse->Confluence Admin->Arsenale Lockpoint. Under "License Status", the field "Support and Upgrades Provided Until" will display your current maintenance status for the product.
If your Arsenale Lockpoint maintenance period is currently VALID:
- if using Confluence 3.5 or higher, upgrade to the most current available Lockpoint version (1.4.3+)
- if using Confluence 3.1 through 3.4, upgrade to Lockpoint 220.127.116.11
If your Arsenale Lockpoint maintenance period is EXPIRED and you are running a 25-user or smaller license:
- just request a new license for free from our website. After installing the new license, follow the steps above for products with VALID maintenance.
If your Arsenale Lockpoint maintenance period is EXPIRED and you have a 50+ user license:
You may upgrade to any of the versions indicated below if you meet the listed criteria:
- if your Arsenale Lockpoint maintenance expired on or after 2013-03-09:
- if your Arsenale Lockpoint maintenance expired between 2012-09-29 and 2013-03-08:
- if your Arsenale Lockpoint maintenance expired between 2012-04-19 and 2012-09-28:
- if using Confluence 3.1 through 4.2, upgrade to Lockpoint 18.104.22.168
- if your Arsenale Lockpoint maintenance expired before 2012-04-19, or if your configuration is not listed above:
- you will need to purchase a new or renewal Arsenale Lockpoint license and upgrade Lockpoint to the most recent version compatible with your Confluence installation
If you have any questions, please contact us at Arsenale Support.