Uploaded image for project: 'Confluence Server and Data Center'
  1. Confluence Server and Data Center
  2. CONFSERVER-33738

Patch for Security advisory 2014-05-21 doesn't work in Confluence 3.5.X

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • High
    • Resolution: Fixed
    • 3.5.13, 3.5.16
    • None
    • None

    Description

      Steps to reproduce:

      1. Confluence 3.5.13
      2. Installed, booted up
      3. Postregres DB
      4. Shutdown, applied patch following advisory
      5. admin panel not accessible
      6. content appears to be missing
      7. see errors in the logs:
        2014-05-22 16:28:50,308 ERROR [http-8080-1] [[Standalone].[localhost].[/].[action]] log Servlet.service() for servlet action threw exception
         -- referer: http://localhost:8080/dashboard.action | url: /display/ds/Example+Human+Resources+Page | userName: admin
        java.lang.AbstractMethodError: com.atlassian.xwork10.Xwork10VersionSupport.extractMethod(Lcom/opensymphony/xwork/ActionInvocation;)Ljava/lang/reflect/Method;
        	at com.atlassian.xwork.interceptors.XsrfTokenInterceptor.intercept(XsrfTokenInterceptor.java:78)
        	at com.atlassian.confluence.xwork.ConfluenceXsrfTokenInterceptor.intercept(ConfluenceXsrfTokenInterceptor.java:25)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.atlassian.confluence.security.interceptors.CaptchaInterceptor.intercept(CaptchaInterceptor.java:46)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.atlassian.confluence.util.LoggingContextInterceptor.intercept(LoggingContextInterceptor.java:49)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.atlassian.confluence.core.CancellingInterceptor.intercept(CancellingInterceptor.java:23)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.atlassian.confluence.security.websudo.WebSudoInterceptor.intercept(WebSudoInterceptor.java:58)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.atlassian.confluence.security.actions.PermissionCheckInterceptor.intercept(PermissionCheckInterceptor.java:57)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.atlassian.confluence.setup.webwork.BootstrapAwareInterceptor.intercept(BootstrapAwareInterceptor.java:26)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.atlassian.confluence.user.actions.UserAwareInterceptor.intercept(UserAwareInterceptor.java:58)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.atlassian.confluence.pages.actions.CommentAwareInterceptor.intercept(CommentAwareInterceptor.java:43)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.atlassian.confluence.pages.actions.PageAwareInterceptor.intercept(PageAwareInterceptor.java:106)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.atlassian.confluence.spaces.actions.SpaceAwareInterceptor.intercept(SpaceAwareInterceptor.java:68)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.atlassian.confluence.core.actions.LastModifiedInterceptor.intercept(LastModifiedI
        

      Workaround

      Use the old xwork until Atlassian fixes the problem.

      Attachments

        Issue Links

          Activity

            People

              shaffenden Steve Haffenden (Inactive)
              wzanchet William Zanchet (Inactive)
              Votes:
              6 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: