IMPORTANT: JAC is a Public system and anyone on the internet will be able to view the data in the created JAC tickets. Please don’t include Customer or Sensitive data in the JAC ticket.
Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-33738

Patch for Security advisory 2014-05-21 doesn't work in Confluence 3.5.X

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: High High
    • None
    • 3.5.13, 3.5.16
    • None

      Steps to reproduce:

      1. Confluence 3.5.13
      2. Installed, booted up
      3. Postregres DB
      4. Shutdown, applied patch following advisory
      5. admin panel not accessible
      6. content appears to be missing
      7. see errors in the logs:
        2014-05-22 16:28:50,308 ERROR [http-8080-1] [[Standalone].[localhost].[/].[action]] log Servlet.service() for servlet action threw exception
         -- referer: http://localhost:8080/dashboard.action | url: /display/ds/Example+Human+Resources+Page | userName: admin
        java.lang.AbstractMethodError: com.atlassian.xwork10.Xwork10VersionSupport.extractMethod(Lcom/opensymphony/xwork/ActionInvocation;)Ljava/lang/reflect/Method;
        	at com.atlassian.xwork.interceptors.XsrfTokenInterceptor.intercept(XsrfTokenInterceptor.java:78)
        	at com.atlassian.confluence.xwork.ConfluenceXsrfTokenInterceptor.intercept(ConfluenceXsrfTokenInterceptor.java:25)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.atlassian.confluence.security.interceptors.CaptchaInterceptor.intercept(CaptchaInterceptor.java:46)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.atlassian.confluence.util.LoggingContextInterceptor.intercept(LoggingContextInterceptor.java:49)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.atlassian.confluence.core.CancellingInterceptor.intercept(CancellingInterceptor.java:23)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.atlassian.confluence.security.websudo.WebSudoInterceptor.intercept(WebSudoInterceptor.java:58)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.atlassian.confluence.security.actions.PermissionCheckInterceptor.intercept(PermissionCheckInterceptor.java:57)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.atlassian.confluence.setup.webwork.BootstrapAwareInterceptor.intercept(BootstrapAwareInterceptor.java:26)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.atlassian.confluence.user.actions.UserAwareInterceptor.intercept(UserAwareInterceptor.java:58)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.atlassian.confluence.pages.actions.CommentAwareInterceptor.intercept(CommentAwareInterceptor.java:43)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.atlassian.confluence.pages.actions.PageAwareInterceptor.intercept(PageAwareInterceptor.java:106)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.atlassian.confluence.spaces.actions.SpaceAwareInterceptor.intercept(SpaceAwareInterceptor.java:68)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)
        	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
        	at com.atlassian.confluence.core.actions.LastModifiedInterceptor.intercept(LastModifiedI
        

      Workaround

      Use the old xwork until Atlassian fixes the problem.

            Loading...
            IMPORTANT: JAC is a Public system and anyone on the internet will be able to view the data in the created JAC tickets. Please don’t include Customer or Sensitive data in the JAC ticket.
            Uploaded image for project: 'Confluence Data Center'
            1. Confluence Data Center
            2. CONFSERVER-33738

            Patch for Security advisory 2014-05-21 doesn't work in Confluence 3.5.X

              • Icon: Bug Bug
              • Resolution: Fixed
              • Icon: High High
              • None
              • 3.5.13, 3.5.16
              • None

                Steps to reproduce:

                1. Confluence 3.5.13
                2. Installed, booted up
                3. Postregres DB
                4. Shutdown, applied patch following advisory
                5. admin panel not accessible
                6. content appears to be missing
                7. see errors in the logs:
                  2014-05-22 16:28:50,308 ERROR [http-8080-1] [[Standalone].[localhost].[/].[action]] log Servlet.service() for servlet action threw exception
                   -- referer: http://localhost:8080/dashboard.action | url: /display/ds/Example+Human+Resources+Page | userName: admin
                  java.lang.AbstractMethodError: com.atlassian.xwork10.Xwork10VersionSupport.extractMethod(Lcom/opensymphony/xwork/ActionInvocation;)Ljava/lang/reflect/Method;
                  	at com.atlassian.xwork.interceptors.XsrfTokenInterceptor.intercept(XsrfTokenInterceptor.java:78)
                  	at com.atlassian.confluence.xwork.ConfluenceXsrfTokenInterceptor.intercept(ConfluenceXsrfTokenInterceptor.java:25)
                  	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
                  	at com.atlassian.confluence.security.interceptors.CaptchaInterceptor.intercept(CaptchaInterceptor.java:46)
                  	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
                  	at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)
                  	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
                  	at com.atlassian.confluence.util.LoggingContextInterceptor.intercept(LoggingContextInterceptor.java:49)
                  	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
                  	at com.atlassian.confluence.core.CancellingInterceptor.intercept(CancellingInterceptor.java:23)
                  	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
                  	at com.atlassian.confluence.security.websudo.WebSudoInterceptor.intercept(WebSudoInterceptor.java:58)
                  	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
                  	at com.atlassian.confluence.security.actions.PermissionCheckInterceptor.intercept(PermissionCheckInterceptor.java:57)
                  	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
                  	at com.atlassian.confluence.setup.webwork.BootstrapAwareInterceptor.intercept(BootstrapAwareInterceptor.java:26)
                  	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
                  	at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)
                  	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
                  	at com.atlassian.confluence.user.actions.UserAwareInterceptor.intercept(UserAwareInterceptor.java:58)
                  	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
                  	at com.atlassian.confluence.pages.actions.CommentAwareInterceptor.intercept(CommentAwareInterceptor.java:43)
                  	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
                  	at com.atlassian.confluence.pages.actions.PageAwareInterceptor.intercept(PageAwareInterceptor.java:106)
                  	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
                  	at com.atlassian.confluence.spaces.actions.SpaceAwareInterceptor.intercept(SpaceAwareInterceptor.java:68)
                  	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
                  	at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)
                  	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
                  	at com.atlassian.confluence.core.actions.LastModifiedInterceptor.intercept(LastModifiedI
                  

                Workaround

                Use the old xwork until Atlassian fixes the problem.

                        shaffenden Steve Haffenden (Inactive)
                        wzanchet William Zanchet (Inactive)
                        Votes:
                        6 Vote for this issue
                        Watchers:
                        8 Start watching this issue

                          Created:
                          Updated:
                          Resolved:

                            shaffenden Steve Haffenden (Inactive)
                            wzanchet William Zanchet (Inactive)
                            Affected customers:
                            6 This affects my team
                            Watchers:
                            8 Start watching this issue

                              Created:
                              Updated:
                              Resolved: