-
Bug
-
Resolution: Fixed
-
High
-
None
-
3.5.13, 3.5.16
-
None
Steps to reproduce:
- Confluence 3.5.13
- Installed, booted up
- Postregres DB
- Shutdown, applied patch following advisory
- admin panel not accessible
- content appears to be missing
- see errors in the logs:
2014-05-22 16:28:50,308 ERROR [http-8080-1] [[Standalone].[localhost].[/].[action]] log Servlet.service() for servlet action threw exception -- referer: http://localhost:8080/dashboard.action | url: /display/ds/Example+Human+Resources+Page | userName: admin java.lang.AbstractMethodError: com.atlassian.xwork10.Xwork10VersionSupport.extractMethod(Lcom/opensymphony/xwork/ActionInvocation;)Ljava/lang/reflect/Method; at com.atlassian.xwork.interceptors.XsrfTokenInterceptor.intercept(XsrfTokenInterceptor.java:78) at com.atlassian.confluence.xwork.ConfluenceXsrfTokenInterceptor.intercept(ConfluenceXsrfTokenInterceptor.java:25) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.atlassian.confluence.security.interceptors.CaptchaInterceptor.intercept(CaptchaInterceptor.java:46) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.atlassian.confluence.util.LoggingContextInterceptor.intercept(LoggingContextInterceptor.java:49) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.atlassian.confluence.core.CancellingInterceptor.intercept(CancellingInterceptor.java:23) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.atlassian.confluence.security.websudo.WebSudoInterceptor.intercept(WebSudoInterceptor.java:58) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.atlassian.confluence.security.actions.PermissionCheckInterceptor.intercept(PermissionCheckInterceptor.java:57) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.atlassian.confluence.setup.webwork.BootstrapAwareInterceptor.intercept(BootstrapAwareInterceptor.java:26) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.atlassian.confluence.user.actions.UserAwareInterceptor.intercept(UserAwareInterceptor.java:58) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.atlassian.confluence.pages.actions.CommentAwareInterceptor.intercept(CommentAwareInterceptor.java:43) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.atlassian.confluence.pages.actions.PageAwareInterceptor.intercept(PageAwareInterceptor.java:106) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.atlassian.confluence.spaces.actions.SpaceAwareInterceptor.intercept(SpaceAwareInterceptor.java:68) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.atlassian.confluence.core.actions.LastModifiedInterceptor.intercept(LastModifiedI
Workaround
Use the old xwork until Atlassian fixes the problem.
- is caused by
-
CONFSERVER-33515 ClassLoader Manipulation vulnerability
-
- Closed
-
Form Name |
---|
Patches are linked: (you need to replace all 3 files):
MD5 (atlassian-xwork-10-1.17.jar) = 789acc22737e29577b9e843d5faf0317
MD5 (atlassian-xwork-core-1.17.jar) = 3e05c38578eec3583b9d5ef5e28fd058
MD5 (xwork-1.0.3.6.jar) = 59c8950b1129637bb63aea94b4139d7f
Steps to apply the patches:
1. Shutdown confluence
2. Move the following files to a location outside of the <CONFLUENCE-INSTALL> folder:
i. <CONFLUENCE-INSTALL>/confluence/WEB-INF/lib/atlassian-xwork-10.1.12.jar
ii. <CONFLUENCE-INSTALL>/confluence/WEB-INF/lib/atlassian-xwork-core.1.12.jar
iii. <CONFLUENCE-INSTALL>/confluence/WEB-INF/lib/xwork-1.0.3.2.jar
3. Add the downloaded files to the <CONFLUENCE-INSTALL>/confluence/WEB-INF/lib/ folder.
4. Start up Confluence again
To confirm that you have applied the patch successfully, check the version of the xwork jar that has been loaded into Confluence as follows.
1. Log in as administrator.
2. Navigate to /admin/classpath.action URL on your instance and search for "xwork".
There should be three hits: atlassian-xwork-10-1.17.jar, b/atlassian-xwork-core-1.17.jar and xwork-1.0.3.6.jar. This confirms that the patch has been correctly applied.