-
Bug
-
Resolution: Fixed
-
High
-
5.0.3, 5.1.5, 5.2.5, 5.3.4, 5.4.4, 5.5.7, 5.6.6, 5.7.3
-
None
The version of Java we bundle with Confluence is badly out of date, and well behind the security baseline Oracle defines (see http://www.oracle.com/technetwork/java/javase/7u80-relnotes-2494162.html for example, which says we should be running update 79 for security fixes, and update 80 for subsequent bugfixes).
The April 2015 blog post for the latest update lists multiple security issues affecting server code, several exploitable over the network, and 3 that are severity 10.0 (their highest rating). They do not provide any details for us to know what these vulnerabilities are, aside from their CVE IDs. See https://blogs.oracle.com/security/entry/april_2015_critical_patch_update for all the details we have, and watch https://access.redhat.com/security/cve/CVE-2015-0491 https://access.redhat.com/security/cve/CVE-2015-0459 and https://access.redhat.com/security/cve/CVE-2015-0469 for publication.
We need to update the bundled version of the JRE to at least 1.7.0_79.
In versions of Confluence where we've dropped support for any JRE other than the one we bundle, we need to do this update as a matter of urgency.
- duplicates
-
-
- Closed
-
-
-
- Closed
-
Hi rob.kearey, we have stuck with Java 7 because this is a bugfix release, which should only include small, low risk changes. We will move to bundling Java 8 in Confluence 5.8. You are of course able to manually upgrade to whatever JRE you wish to use, this is simply the default.