-
Bug
-
Resolution: Fixed
-
Medium
-
7.13.8, 7.18.2
-
18
-
Severity 3 - Minor
-
21
-
This is reproducible on Data Center: yes
- The current version of Tomcat 9.0.63 is bundled with Confluence 7.18.2 and Confluence 7.13.8 are vulnerable to CVE-2022-34305 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34305
Steps to Reproduce
- -
Expected Results
-
Actual Results
-
Workaround
Manually updating Tomcat would be a valid workaround, however, checking the Tomcat download link we can see that the latest available version is
- For Tomcat 9, 9.0.64 http://archive.apache.org/dist/tomcat/tomcat-9/
So, not even Tomcat has released a version that has the fix for this CVE, looks like this vulnerability is currently undergoing analysis.
Opening a ticket to keep track of it on our side.
[Update from Jul 21, 2022]
Tomcat released the 9.0.65 version which contains the fix for this vulnerability (CVE-2022-34305):
- links to
- mentioned in
-
Page Failed to load
-
Page Failed to load
-
Page Failed to load
-
Page Failed to load
-
Page Loading...
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[CONFSERVER-79480] Confluence Apache Tomcat CVE-2022-34305
A fix for this issue is available in Confluence Server and Data Center 7.13.11.
Upgrade now or check out the Release Notes to see what other issues are resolved.
Hi 7675e03adf45,
This fix will in fact be re-released with the availability of 7.13.11.
The fix version on this ticket will be updated once the new release has been made available.
We are expediting the new release but we still have to follow our standard quality processes. We are targeting a release for Tuesday 25th October so long as everything goes to plan. All customers will be notified on this ticket with a comment once the new release has been made available.
Cheers.
With the pulling of 7.13.10, will this be re-released into 7.13.11?
Is there a current ETA for 7.13.11?
Thanks once again!
Regards,
Rick
Does this issue only impact 7.13.8 or is it impacting all previous versions of 7.13.x?
(as Richard mentioned above?)
Regards,
Rick
A fix for this issue is available in Confluence Server and Data Center 7.13.10.
Upgrade now or check out the Release Notes to see what other issues are resolved.
A fix for this issue is available in Confluence Server and Data Center 7.20.0.
Upgrade now or check out the Release Notes to see what other issues are resolved.
Hi,
If this has been found in 7.13.8, where there is no mention of which 7.13.x version, is this going to be fixed in as well?
Thanks,
Richard Bukovansky | CommerzBank AG
A fix for this issue is available in Confluence Server and Data Center 7.19.2.
Upgrade now or check out the Release Notes to see what other issues are resolved.
During a recent review of a Confluence 7.13.7 installation, we noted one page returned an Apache Tomcat 9.0.63 banner. 7.13.7 is not listed as an impacted version in this issue, however. Apologies if I missed it, but did Atlassian ever confirm if any versions prior to 7.13.8 were impacted by this issue?