Problem

The Java versions bundled with current Confluence distributions seem to be affected by the below vulnerabilities:

• The affected versions are 22.0.1, 21.0.3, 17.0.11, 11.0.23, 8u412, and earlier:
  • CVE-2024-21147
  • CVE-2024-21145
  • CVE-2024-21140
  • CVE-2024-21144
  • CVE-2024-21131
  • CVE-2024-21138

• The affected versions are 23, 21.0.4, 17.0.12, 11.0.24, 8u422, and earlier:
  • CVE-2024-21235
  • CVE-2024-21208
  • CVE-2024-21210
  • CVE-2024-21217

Suggested Solution

Update the bundled JDK to the current versions 11.0.25, 17.0.13, 21.0.5, and keep them up to date in the future as well.

Why This Is Important

Although the above vulnerabilities have no security impact on Confluence, users are encountering issues with security scans and keeping Confluence in line with compliance regulations. Installing new Java versions and testing is an unplanned workload for the users.

Workaround

Install the latest Java release and manually change the Java Confluence uses:

• Installing Java for Confluence
• Change the Java vendor or version Confluence uses