Hi d5d697575e84,

No. You'll need to upgrade to get the full fix.

Thanks,
James Ponting
Engineering Manager - Confluence Data Center

Hi James,

Is this an interim solution,
i.e. same as JRASERVER-73773, by only upgrading Tomcat?

Best regards,
Jacky Zhou

Hi All,

b13ec69d03dc - The fix has been released as part of the releases on Friday. The Symptom Severity field is an oversight by me in creating the ticket. I have corrected this oversight. We certainly used this field, but the Priority is the primary field for most tickets. Whilst the Tomcat version bump that fixed the issue in Jira was part of the fix in Confluence, there were additional changes required to resolve this for Confluence.

957164863928 - I don't believe so, though it would reduce the attack surface somewhat. I would recommend upgrading to one of the fixed versions for this reason, and also Confluence Security Advisory 2022-06-02.

As noted above, a fix for this issue has been released in the following Confluence versions

• 7.4.17
• 7.13.7
• 7.14.3
• 7.15.2
• 7.16.4
• 7.17.4
• 7.18.1

Thanks,
James Ponting
Engineering Manager - Confluence Data Center

Is the system safe when we're not using the bundled tomcat?

Hello James,

after all, the process is now in progress. Is there a timetable for the release of a fix? 

I can't understand why the problem is dragging on and symptom severity is only on level 3. JRASERVER-73773 is about the same issue and there symptom severity is set to critical, which imho is correct for an RCE.

In Jira there is already a fix released, by using a current tomcat version. Same solution should be possible with Confluence by using Tomcat 9.0.63. Unfortunately, our customer only wants to use systems supported by Atlassian and since the use of other tomcat versions is not supported, we are tied to the bundled tomcat.

Thanks,

Edgar König

Hey Edgar,

Unfortunately I need to wait for the security team to communicate on that front.

This ticket will be updated as soon as we have information we can share.

Thanks,
James Ponting
Engineering Manager - Confluence Data Center

Hi James,

is the vulnerability fixed with the release of Confluence 7.13.6?

Thank you

Edgar König

Hi All,

Apologies for the delay in responding.

9d31014965c2 - Confluence is tested on both Java 8 and Java 11, so you will be fine to downgrade the Java version being used to run Confluence. There should be no issues in doing so. In terms of impact, there have been some performance improvements made in the JRE between 8 and 11, particularly in the realm of garbage collection. This shouldn't be a blocker, but I would encourage you to upgrade to Java 11 once more when the fix is released.

7675e03adf45 - That is still correct. You can use either the Adoptium OpenJDK or Oracle's JDK, however you may need to check their licensing agreements (a primary driver in bundling Adoptium). We would generally recommend the latest build of the JDK for whichever version you choose (i.e. Java 8.latest), however you can choose to match to the tested version if you're so inclined.

Hopefully that helps.

Thanks,
James Ponting
Engineering Manager - Confluence Data Center

Hi jponting,

Similar to 9d31014965c2's question above, we are using the document, https://confluence.atlassian.com/conf713/bundled-tomcat-and-java-versions-1077914840.html to indicate which JDK has been tested with which version of Confluence.

Is this still valid?

I'm not seeing any recommendations on the FAQ page, currently.

Thanks for your continued attention.

Regards,
Rick

Hi team,

Since there is no fix for Confluence from Atlassian yet, we would like to know the impact of downgrading the Java -which comes along with the application package.

• Backward compatible of confluence - Will Confluence functions be disturbed after downgrading the Java ?
• Plugins perspective- Will the plugins function be disturbed if we downgrade Java ?

Thanks