Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-33738

Patch for Security advisory 2014-05-21 doesn't work in Confluence 3.5.X

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: High High
    • None
    • 3.5.13, 3.5.16
    • None

      Steps to reproduce:

      1. Confluence 3.5.13
      2. Installed, booted up
      3. Postregres DB
      4. Shutdown, applied patch following advisory
      5. admin panel not accessible
      6. content appears to be missing
      7. see errors in the logs:
        2014-05-22 16:28:50,308 ERROR [http-8080-1] [[Standalone].[localhost].[/].[action]] log Servlet.service() for servlet action threw exception
         -- referer: http://localhost:8080/dashboard.action | url: /display/ds/Example+Human+Resources+Page | userName: admin
        java.lang.AbstractMethodError: com.atlassian.xwork10.Xwork10VersionSupport.extractMethod(Lcom/opensymphony/xwork/ActionInvocation;)Ljava/lang/reflect/Method;
        	at com.atlassian.xwork.interceptors.XsrfTokenInterceptor.intercept(XsrfTokenInterceptor.java:78)
        	at com.atlassian.confluence.xwork.ConfluenceXsrfTokenInterceptor.intercept(ConfluenceXsrfTokenInterceptor.java:25)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.atlassian.confluence.security.interceptors.CaptchaInterceptor.intercept(CaptchaInterceptor.java:46)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.atlassian.confluence.util.LoggingContextInterceptor.intercept(LoggingContextInterceptor.java:49)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.atlassian.confluence.core.CancellingInterceptor.intercept(CancellingInterceptor.java:23)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.atlassian.confluence.security.websudo.WebSudoInterceptor.intercept(WebSudoInterceptor.java:58)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.atlassian.confluence.security.actions.PermissionCheckInterceptor.intercept(PermissionCheckInterceptor.java:57)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.atlassian.confluence.setup.webwork.BootstrapAwareInterceptor.intercept(BootstrapAwareInterceptor.java:26)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.atlassian.confluence.user.actions.UserAwareInterceptor.intercept(UserAwareInterceptor.java:58)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.atlassian.confluence.pages.actions.CommentAwareInterceptor.intercept(CommentAwareInterceptor.java:43)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.atlassian.confluence.pages.actions.PageAwareInterceptor.intercept(PageAwareInterceptor.java:106)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.atlassian.confluence.spaces.actions.SpaceAwareInterceptor.intercept(SpaceAwareInterceptor.java:68)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.atlassian.confluence.core.actions.LastModifiedInterceptor.intercept(LastModifiedI
        

      Workaround

      Use the old xwork until Atlassian fixes the problem.

          Form Name

            [CONFSERVER-33738] Patch for Security advisory 2014-05-21 doesn't work in Confluence 3.5.X

            VitalyA added a comment -

            Patches are linked: (you need to replace all 3 files):

            MD5 (atlassian-xwork-10-1.17.jar) = 789acc22737e29577b9e843d5faf0317
            MD5 (atlassian-xwork-core-1.17.jar) = 3e05c38578eec3583b9d5ef5e28fd058
            MD5 (xwork-1.0.3.6.jar) = 59c8950b1129637bb63aea94b4139d7f

            Steps to apply the patches:

            1. Shutdown confluence
            2. Move the following files to a location outside of the <CONFLUENCE-INSTALL> folder:
            i. <CONFLUENCE-INSTALL>/confluence/WEB-INF/lib/atlassian-xwork-10.1.12.jar
            ii. <CONFLUENCE-INSTALL>/confluence/WEB-INF/lib/atlassian-xwork-core.1.12.jar
            iii. <CONFLUENCE-INSTALL>/confluence/WEB-INF/lib/xwork-1.0.3.2.jar
            3. Add the downloaded files to the <CONFLUENCE-INSTALL>/confluence/WEB-INF/lib/ folder.
            4. Start up Confluence again

            To confirm that you have applied the patch successfully, check the version of the xwork jar that has been loaded into Confluence as follows.

            1. Log in as administrator.
            2. Navigate to /admin/classpath.action URL on your instance and search for "xwork".
            There should be three hits: atlassian-xwork-10-1.17.jar, b/atlassian-xwork-core-1.17.jar and xwork-1.0.3.6.jar. This confirms that the patch has been correctly applied.

            VitalyA added a comment - Patches are linked: (you need to replace all 3 files): atlassian-xwork-10-1.17.jar atlassian-xwork-core-1.17.jar xwork-1.0.3.6.jar MD5 (atlassian-xwork-10-1.17.jar) = 789acc22737e29577b9e843d5faf0317 MD5 (atlassian-xwork-core-1.17.jar) = 3e05c38578eec3583b9d5ef5e28fd058 MD5 (xwork-1.0.3.6.jar) = 59c8950b1129637bb63aea94b4139d7f Steps to apply the patches: 1. Shutdown confluence 2. Move the following files to a location outside of the <CONFLUENCE-INSTALL> folder: i. <CONFLUENCE-INSTALL>/confluence/WEB-INF/lib/atlassian-xwork-10.1.12.jar ii. <CONFLUENCE-INSTALL>/confluence/WEB-INF/lib/atlassian-xwork-core.1.12.jar iii. <CONFLUENCE-INSTALL>/confluence/WEB-INF/lib/xwork-1.0.3.2.jar 3. Add the downloaded files to the <CONFLUENCE-INSTALL>/confluence/WEB-INF/lib/ folder. 4. Start up Confluence again To confirm that you have applied the patch successfully, check the version of the xwork jar that has been loaded into Confluence as follows. 1. Log in as administrator. 2. Navigate to /admin/classpath.action URL on your instance and search for "xwork". There should be three hits: atlassian-xwork-10-1.17.jar, b/atlassian-xwork-core-1.17.jar and xwork-1.0.3.6.jar. This confirms that the patch has been correctly applied.

            Nigel Sim added a comment -

            Also affects 3.5.17

            Nigel Sim added a comment - Also affects 3.5.17

              shaffenden Steve Haffenden (Inactive)
              wzanchet William Zanchet (Inactive)
              Affected customers:
              6 This affects my team
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: