Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-78586

Tracking Resolution of Issue Described in FAQ for CVE-2022-22965

      This issue stands as a place holder to track the progress of resolving the issue described at FAQ for CVE-2022-22965.

      As part of normal security practice, we do not disclose security issues until they are fully resolved in our products so as to mitigate the risk to our customers. In this case the broader security concern was raised publicly by a third party, so broad stroke information about the issue is already available.

      We cannot disclose particular details of the issue, and the FAQ for CVE-2022-22965 remains the single source of truth. Once this issue is resolved, we will update this issue to point to the security disclosure issue with additional detail.

      For now, this ticket can be followed for updates on progress to resolving the issue.

          Form Name

            [CONFSERVER-78586] Tracking Resolution of Issue Described in FAQ for CVE-2022-22965

            James Ponting added a comment - - edited

            Hi d5d697575e84,

            No. You'll need to upgrade to get the full fix.

            Thanks,
            James Ponting
            Engineering Manager - Confluence Data Center

            James Ponting added a comment - - edited Hi d5d697575e84 , No. You'll need to upgrade to get the full fix. Thanks, James Ponting Engineering Manager - Confluence Data Center

            Jacky Zhou added a comment -

            Hi James,

            Is this an interim solution,
            i.e. same as JRASERVER-73773, by only upgrading Tomcat?

             

            Best regards,
            Jacky Zhou

             

            Jacky Zhou added a comment - Hi James, Is this an interim solution, i.e. same as JRASERVER-73773 , by only upgrading Tomcat?   Best regards, Jacky Zhou  

            Hi All,

            b13ec69d03dc - The fix has been released as part of the releases on Friday. The Symptom Severity field is an oversight by me in creating the ticket. I have corrected this oversight. We certainly used this field, but the Priority is the primary field for most tickets. Whilst the Tomcat version bump that fixed the issue in Jira was part of the fix in Confluence, there were additional changes required to resolve this for Confluence.

            957164863928 - I don't believe so, though it would reduce the attack surface somewhat. I would recommend upgrading to one of the fixed versions for this reason, and also Confluence Security Advisory 2022-06-02.

            As noted above, a fix for this issue has been released in the following Confluence versions

            • 7.4.17
            • 7.13.7
            • 7.14.3
            • 7.15.2
            • 7.16.4
            • 7.17.4
            • 7.18.1

            Thanks,
            James Ponting
            Engineering Manager - Confluence Data Center

            James Ponting added a comment - Hi All, b13ec69d03dc - The fix has been released as part of the releases on Friday. The Symptom Severity field is an oversight by me in creating the ticket. I have corrected this oversight. We certainly used this field, but the Priority is the primary field for most tickets. Whilst the Tomcat version bump that fixed the issue in Jira was part of the fix in Confluence, there were additional changes required to resolve this for Confluence. 957164863928 - I don't believe so, though it would reduce the attack surface somewhat. I would recommend upgrading to one of the fixed versions for this reason, and also Confluence Security Advisory 2022-06-02 . As noted above, a fix for this issue has been released in the following Confluence versions 7.4.17 7.13.7 7.14.3 7.15.2 7.16.4 7.17.4 7.18.1 Thanks, James Ponting Engineering Manager - Confluence Data Center

            Is the system safe when we're not using the bundled tomcat?

            Bernd Schaper added a comment - Is the system safe when we're not using the bundled tomcat?

            Hello James,

            after all, the process is now in progress. Is there a timetable for the release of a fix? 

            I can't understand why the problem is dragging on and symptom severity is only on level 3. JRASERVER-73773 is about the same issue and there symptom severity is set to critical, which imho is correct for an RCE.

            In Jira there is already a fix released, by using a current tomcat version. Same solution should be possible with Confluence by using Tomcat 9.0.63. Unfortunately, our customer only wants to use systems supported by Atlassian and since the use of other tomcat versions is not supported, we are tied to the bundled tomcat.

            Thanks,

            Edgar König

            Edgar König added a comment - Hello James, after all, the process is now in progress. Is there a timetable for the release of a fix?  I can't understand why the problem is dragging on and symptom severity is only on level 3. JRASERVER-73773 is about the same issue and there symptom severity is set to critical, which imho is correct for an RCE. In Jira there is already a fix released, by using a current tomcat version. Same solution should be possible with Confluence by using Tomcat 9.0.63. Unfortunately, our customer only wants to use systems supported by Atlassian and since the use of other tomcat versions is not supported, we are tied to the bundled tomcat. Thanks, Edgar König

            Hey Edgar,

            Unfortunately I need to wait for the security team to communicate on that front.

            This ticket will be updated as soon as we have information we can share.

            Thanks,
            James Ponting
            Engineering Manager - Confluence Data Center

            James Ponting added a comment - Hey Edgar, Unfortunately I need to wait for the security team to communicate on that front. This ticket will be updated as soon as we have information we can share. Thanks, James Ponting Engineering Manager - Confluence Data Center

            Edgar König added a comment - - edited

            Hi James,

            is the vulnerability fixed with the release of Confluence 7.13.6?

            Thank you

            Edgar König

            Edgar König added a comment - - edited Hi James, is the vulnerability fixed with the release of Confluence 7.13.6? Thank you Edgar König

            Hi All,

            Apologies for the delay in responding.

            9d31014965c2 - Confluence is tested on both Java 8 and Java 11, so you will be fine to downgrade the Java version being used to run Confluence. There should be no issues in doing so. In terms of impact, there have been some performance improvements made in the JRE between 8 and 11, particularly in the realm of garbage collection. This shouldn't be a blocker, but I would encourage you to upgrade to Java 11 once more when the fix is released.

            7675e03adf45 - That is still correct. You can use either the Adoptium OpenJDK or Oracle's JDK, however you may need to check their licensing agreements (a primary driver in bundling Adoptium). We would generally recommend the latest build of the JDK for whichever version you choose (i.e. Java 8.latest), however you can choose to match to the tested version if you're so inclined.

            Hopefully that helps.

            Thanks,
            James Ponting
            Engineering Manager - Confluence Data Center

            James Ponting added a comment - Hi All, Apologies for the delay in responding. 9d31014965c2 - Confluence is tested on both Java 8 and Java 11, so you will be fine to downgrade the Java version being used to run Confluence. There should be no issues in doing so. In terms of impact, there have been some performance improvements made in the JRE between 8 and 11, particularly in the realm of garbage collection. This shouldn't be a blocker, but I would encourage you to upgrade to Java 11 once more when the fix is released. 7675e03adf45 - That is still correct. You can use either the Adoptium OpenJDK or Oracle's JDK, however you may need to check their licensing agreements (a primary driver in bundling Adoptium). We would generally recommend the latest build of the JDK for whichever version you choose (i.e. Java 8.latest), however you can choose to match to the tested version if you're so inclined. Hopefully that helps. Thanks, James Ponting Engineering Manager - Confluence Data Center

            Hi jponting,

            Similar to 9d31014965c2's question above, we are using the document, https://confluence.atlassian.com/conf713/bundled-tomcat-and-java-versions-1077914840.html to indicate which JDK has been tested with which version of Confluence.

            Is this still valid?

            I'm not seeing any recommendations on the FAQ page, currently.

            Thanks for your continued attention.

            Regards,
            Rick

            Rick Carini added a comment - Hi jponting , Similar to 9d31014965c2 's question above, we are using the document, https://confluence.atlassian.com/conf713/bundled-tomcat-and-java-versions-1077914840.html to indicate which JDK has been tested with which version of Confluence. Is this still valid? I'm not seeing any recommendations on the FAQ page, currently. Thanks for your continued attention. Regards, Rick

            VIMAL RAJ added a comment -

            Hi team,

            Since there is no fix for Confluence from Atlassian yet, we would like to know the impact of downgrading the Java -which comes along with the application package.

            • Backward compatible of confluence - Will Confluence functions be disturbed after downgrading the Java ?
            • Plugins perspective- Will the plugins function be disturbed if we downgrade Java ?

            Thanks

            VIMAL RAJ added a comment - Hi team, Since there is no fix for Confluence from Atlassian yet, we would like to know the impact of downgrading the Java -which comes along with the application package. Backward compatible of confluence - Will Confluence functions be disturbed after downgrading the Java ? Plugins perspective- Will the plugins function be disturbed if we downgrade Java ? Thanks

              jponting James Ponting
              jponting James Ponting
              Affected customers:
              21 This affects my team
              Watchers:
              44 Start watching this issue

                Created:
                Updated:
                Resolved: