-
Bug
-
Resolution: Fixed
-
Highest
-
8.7.2, 7.19.18, 8.5.5
-
49
-
Severity 3 - Minor
-
740
-
The initial change was made in response to the collection of security issues we've recently seen. We had aimed to improve the security posture of Confluence by limiting the ability of the running process to write to the install directory. As part of this change we required sudo to install Confluence, but did not fully enforce this requirement in the installer. This led to a collection of problems identified here, and the basis of most of our understanding of the issue. Unfortunately there is also an issue where the user set by the installer would have more permissions than in our previous implementation.
To address this, we've reverted the previous changes for the coming release (see the status above). Further, to address the impact to customers who have already installed with a super user, we've created a guide to fix the permissions which can be found at Unable to upgrade using non-sudo after using sudo during a prior upgrade.
For those that have not been impacted by the issue in the installer, you can use this new installer without issue or requiring sudo at this time.
Issue Summary
Upgrading Confluence to version 8.5.5 causes an issue when the installer was run without using sudo on Linux server.
Steps to Reproduce
1. Run the installer with the user Confluence is installed with
./atlassian-confluence-8.5.5-x64.bin
2. The Installer encounters an error while attempting to create the OS X - Run Confluence In Background.command binary file, resulting in displaying the following message
Extracting files ... bin/OS X - Run Confluence In Background.command /opt/atlassian/confluence/atlassian-confluence-8.5.4/bin/OS X - Run Confluence In Background.command Could not create this file. Shall I try again? Yes [y], Cancel [c]
Expected Results
Traditionally, the installation process is expected to proceed smoothly if the Confluence user has the required privileges on the Linux server, even without sudo permissions.
The upgrade from version 8.5.3 to 8.5.4 is functioning properly even without sudo access.
Actual Results
The following exception is observed during the upgrade process.
The upgrade process will shut down your existing Confluence installation to complete the upgrade. Do you want to proceed? Upgrade [u, Enter], Exit [e] u Your instance of Confluence is currently being upgraded. Shutting down Confluence... Checking if Confluence has been shutdown... Backing up the Confluence installation directory Deleting the previous Confluence installation directory... Extracting files ... bin/OS X - Run Confluence In Background.command /opt/atlassian/confluence/atlassian-confluence-8.5.3/bin/OS X - Run Confluence In Background.command Could not create this file. Shall I try again? Yes [y], Cancel [c] y /opt/atlassian/confluence/atlassian-confluence-8.5.3/bin/OS X - Run Confluence In Background.command Could not create this file. Shall I try again? Yes [y], Cancel [c] c Rolling back changes ...
Workaround
It is recommend to execute the Linux installer using sudo. This procedure is outlined in the official upgrade guide
Run the installer – we recommend using sudo to run the installer:
{{$ sudo ./atlassian-confluence-X.X.X-x64.bin}}
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[CONFSERVER-94104] Issue with the Linux Installer for Confluence
A fix for this issue is available in Confluence Server and Data Center 8.5.6.
Upgrade now or check out the Release Notes to see what other issues are resolved.
A fix for this issue is available in Confluence Server and Data Center 7.19.19.
Upgrade now or check out the Release Notes to see what other issues are resolved.
Hi All,
Just a quick update on this one.
Firstly, my apologies for the apparent radio silence on this issue. We thought we had a full understanding of the issue, but when I came to reply to the issue and read further into some of the comments, I realised our understanding was incomplete. With this new understanding, it's apparent the change implemented here did not achieve what we had intended, and in ways had the opposite effect.
The initial change was made in response to the collection of security issues we've recently seen. We had aimed to improve the security posture of Confluence by limiting the ability of the running process to write to the install directory. As part of this change we required sudo to install Confluence, but did not fully enforce this requirement in the installer. This led to a collection of problems identified here, and the basis of most of our understanding of the issue. Unfortunately there is also an issue where the user set by the installer would have more permissions than in our previous implementation.
To address this, we've reverted the previous changes. Further, to address the impact to customers who have already installed with a super user, we've created a guide to fix the permissions which can be found at Unable to upgrade using non-sudo after using sudo during a prior upgrade.
For those that have not been impacted by the issue in the installer, you can use this new installer without issue or requiring sudo at this time.
We are continuing to strengthen the security posture of Confluence Data Center, and will be bringing additional similar changes in the future.
Please keep an eye on future release notes for these changes.
Thanks,
James Ponting
Engineering Manager - Confluence Data Center
Is the workaround (Run as root) just during installation and then I can revoke the permission, or does my service ID need to have root indefinitely? Sorry if this has already bean asked/answered.
Kind regards,
Andrew
Hello Atlassian team,
We are also getting the same while upgrading confluence version to current version 7.19.18 from 7.19.17 . I see its set at highest priority , Please keep us update asap when it will be resolved. Also one this I noticed with this installed which is very disappointing that it remove the current Home dir folder . Please take a note of it and have this resolved in earliest ,
Thanks
Faisal
Come on guys. This bug was in Status "In Progress" two days ago. Why did you put off your customers?
Firstly you publish an security advisory and request your users to update the version with an installer which is broken.
What a pitty!
Why is this now in "short term Backlog"??!
We are waiting for almost 2 weeks to finally install the fix Version for the CVE Issue.
As already mentioned, this has to be fixed within hours, not days or weeks!
Atlassian, this has to be fixed ASAP as upgrade is the only way to solve several serious security Confluence DC vulnerabilities (with score between 7.5 and 8.6) mentioned in security bulletin from 16th January 2024. This has to be matter of hours, not days! According to comments there is no safe workaround at the moment.
Atlassian, is there any movement on this issue? This is holding up a lot of teams.
Just in Time - Thanks! It worked now.