-
Bug
-
Resolution: Fixed
-
High
-
6.15.3
-
51
-
Severity 3 - Minor
-
360
-
eh3. Issue Summary
If you upgrade tomcat to version 9.0.14 - 9.0.19, emoticons are broken. Both emoticons on pages, and the emoticon browser do not load.
Issues observed:
Environment
- Confluence 6.13.4, tomcat 9.0.14
- Confluence 6.15.3 tomcat 9.0.17
java -cp catalina.jar org.apache.catalina.util.ServerInfo
In 6.15.2 the output looks like:
Server version: Apache Tomcat/9.0.12
Server built: Sep 4 2018 22:13:41 UTC
Server number: 9.0.12.0*
Steps to Reproduce
- Upgrade tomcat to 9.0.14 following directions here
- Step 2
Edit a page and load the emoticon browser and observe that the images don't loadExpected Results
Emoticon images should load
Actual Results
emoticon images dont load
Notes
If you inspect a HAR file, you will see that in tomcat 9.0.13 and earlier, the content-type for the image is image/svg+xml;charset=UTF-8
After upgrading to tomcat 9.0.14 the content-type is text/html;charset=UTF-8
I checked the release notes for Tomcat 9.0.14, and it looks like the issue is caused by this change: "The default Servlet should not override a previously set content-type"
(Optional - If Necessary)
Workaround
The provided workaround of downgrading Tomcat to 9.0.12 restores SVG functionality, but leaves the instance exposed to CONFSERVER-58106: Update Confluence Server to use Tomcat 9.0.16 to address CVE-2019-0199 (fixed in Confluence Server 7.0.1, 6.15.3, 6.14.4, 6.13.5, 6.6.14, 6.15.4) which is fixed in Tomcat 9.0.16. For this reason, anyone who has undertaken the downgrade of Tomcat to restore functionality should plan an upgrade to Confluence 6.15.4 (or later) as a matter of urgency.
Customers who have implemented header rewrite rules at the reverse proxy layer, and are continuing to run Tomcat 9.0.16 are protected from the above CVE.
If you are unsure of your Tomcat version, you can use the below command to verify which version of Tomcat you're running. The command should be run from the <Confluence-Install>/lib directory
java -cp catalina.jar org.apache.catalina.util.ServerInfo
We have since released Confluence 6.15.4 which contains a fix for this issue. We recommend upgrading immediately if you're impacted by the issue.
We no longer recommend the below workaround to downgrade Tomcat to 9.0.12, but it is available if required:
- Download the Tomcat 9.0.12 lib directory Tomcat-9-0-12-lib.zip , attached to this issue (alternatively you can download and extract the [apache-tomcat-9.0.12.zip or apache-tomcat-9.0.12.tar.gz|https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.12/bin/] from the Apache archives).
- Stop Confluence
- Back up your installation directory.
- Remove the contents of your existing <install-directory>/lib directory.
- Copy the contents of the downloaded lib directory to your existing <install-directory>/lib directory.
- Restart Confluence
- Go to General Configuration > System Information and confirm Confluence is now using Apache Tomcat 9.0.12.
- Edit a page and confirm that you can successfully insert an emoticon.
Your browser may have cached the broken assets, so perform a hard refresh to confirm the fix has worked. If you suspect your users may also have cached broken assets, make a small change to your site colour scheme (for example change a colour and then change it back).
- relates to
-
CONFSERVER-79949 Log analyzer points out Tomcat 9.0.14 and later breaks Emoticons issue on resolved version
- Gathering Impact
- resolves
-
CONFSERVER-57558 Update Confluence Server to use Tomcat 9.0.13 to address Tomcat SecureNioChannel Bug
- Closed
-
CONFSERVER-53002 Using "space" as a context path will break some UI images in Confluence.
- Closed
- links to
- mentioned in
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...