Uploaded image for project: 'Confluence Server and Data Center'
  1. Confluence Server and Data Center
  2. CONFSERVER-59863

Upgrade Tomcat to the fixed version of CVE-2020-9484

    XMLWordPrintable

    Details

    • UIS:
      28
    • Feedback Policy:
      We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Description

      Problem Definition

      A recent Tomcat vulnerability (CVE-2020-9484) in which an attacker can access the content and names of files on a server when custom PersistenceManager filestores are used was announced that affects the following versions:
      10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103

      Confluence, as shipped, does not use PersistenceManager and is not vulnerable, but can be made so with customizations.

      Affected versions of Tomcat include:

      • 7.0.0 to 7.0.103
      • 8.5.0 to 8.5.54
      • 9.0.0.M1 to 9.0.34
      • 10.0.0-M1 to 10.0.0-M4

      Suggested Solution

      Include an unaffected version of Tomcat (9.0.35 and above for Tomcat) in Confluence,

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              nmukai Nobuyuki Mukai
              Votes:
              9 Vote for this issue
              Watchers:
              20 Start watching this issue

                Dates

                Created:
                Updated: