-
Type:
Bug
-
Resolution: Fixed
-
Priority:
Low
-
Affects Version/s: 9.2.2, 9.2.4, 9.5.3, 9.2.7, 10.0.2
-
Component/s: Server - Platform
-
13
-
Severity 3 - Minor
-
50
-
RtB - Service ops & Tech entropy
Issue Summary
Confluence 9.0 introduced a new security feature known as the Velocity allowlist which blocks unexpected operations during template rendering. This feature has been reported to malfunction and block operations which are designated as allowlisted.
This issue mostly impacts templates utilising the StringUtils class and results in repeated log warnings and unexpected loss of functionality.
The Velocity allowlist configuration is static, however the loading of this configuration is currently affected by which Velocity template happens to render first, upon node startup.
If the template originates from the base Confluence application, the allowlist will load as expected. However, if it originates from any plugin, including bundled Atlassian plugins or marketplace plugins, it may cause improper loading of the allowlist.
Note that there is no correlation between the plugin which has interfered with the loading of the allowlist and the plugin which experiences loss of functionality/errors.
Steps to Reproduce
- Reproduction steps dependent on plugin involved - refer to above.
- Usually requires user to be pre-authenticated or for external authentication to be configured.
Expected Results
No log warnings. No unexpected functionality loss.
Actual Results
One or more of the below warnings are logged repeatedly. Unexpected functionality loss.
[velocity] log Invocation blocked as method is not allowlisted: org.apache.commons.lang3.StringUtils#isNotEmpty(java.lang.CharSequence) [velocity] log Invocation blocked as method is not allowlisted: org.apache.commons.lang3.StringUtils#defaultString(java.lang.String java.lang.String) [velocity] log Invocation blocked as method is not allowlisted: org.apache.commons.lang3.StringUtils#isNotBlank(java.lang.CharSequence) [velocity] log Invocation blocked as method is not allowlisted: org.apache.commons.lang3.StringUtils#defaultString(java.lang.String)
Workaround
We understand the following workaround may not be practical but it has been documented for completeness.
Disable plugins you suspect may be interfering with the loading of the allowlist. Restart affected node(s) to allow the Velocity allowlist to reinitialise. Before accepting traffic on the affected node(s), attempt to trigger the render of a Velocity template from the base Confluence application. The following endpoint may be suitable: '/aboutconfluence.action'. Re-enable disabled plugins.
Alternative Workaround
The workaround below is reliable but notably reduces the security of your instance, specifically against SSTI attacks. We do not recommend this approach; however, you may find the reduction in security acceptable if your Confluence instance is not public-facing. It is imperative that you remove the workaround after upgrading to a fixed version.
Configure the system property atlassian.velocity.method.allowlist.debug=true. This disables the Velocity allowlist security capability entirely, preventing the bug from manifesting.