Confluence Server CVE-2019-20102 has no appropriate documentation for fix or upgrades

Thank you for your prompt response, Daniel. The information helps, but could you direct me to the documentation that covers CVE-2019-20102 and the patch link to download for the most current version. Thanks again.

https://jira.atlassian.com/browse/CONFSERVER-59358 to me did not really inform the vulnerability, but I could be misunderstanding. Looking for any additional information for clarity, thanks

Nevermind guys, I appreciate all your assistance. My team was able to find the necessary information to provide to our customers. 

Sorry, I have another question for you? This might be a silly question, but I don't want to assume. Will version 6.15.10 fix the affected vulnerability of all previous versions or will the appropriate instruction be upgrade to 7.4 of Confluence Server? How does the  updates work? Explain, please?

Hey Willie, it's not silly - always good to be sure when applying bugfixes! Breaking down the information from the CVE, here's the snippet about 6.15 affected versions:

version 6.15.0 before version 6.15.5

Explicitly this means:

• 6.15.0
• 6.15.1
• 6.15.2
• 6.15.3
• 6.15.4

Releases in 6.15 after that would all contain the fix - meaning 6.15.10 would have the fix. The bugfix versions are additive (issue fixes can't be applied individually, you get everything released up to that point when you do an upgrade). All the fixes that were released in 6.15.5 would be included in 6.15.6, in addition to any new bugfixes released in 6.15.6. 

The feature releases (the second number in the dot sequence) get bugfixes for a short period. The 7.4 release is what we've designated as an Enterprise Release, meaning it continues to receive bugfixes for a longer period of time than a typical feature release. Other projects like Ubuntu refer to this type of release as LTS or Long Term Support. New features won't appear in 7.4 after the release of 7.4.0, but any bugs that get fixed in 7.5 for example would also appear as bugfixes for 7.4 - something like 7.4.3 (if they were bugs in 7.4 also).

For this CVE specifically, 6.15.10 is a fixed version. But if you are working on an upgrade anyway, it might be worth the effort to look at 7.4 as the version you upgrade to. Upgrading from something like 6.15.2 to 6.15.10 would be considered "low risk" as no new features will be added - just bugfixes. Depending on your procedures for doing upgrades, if you might be looking at 6 hours invested for testing/upgrading a bugfix version, it might be worth just investing more time and going up to 7.4.

Some additional reading about Enterprise Releases is available in our documentation.

Hope that adds some context!

Thanks again, and I apologize for the delayed responses. So, to understand completely and I appreciate the explanations....if I have upgraded to 7.4 when it first was made available; I would only need to apply the fixed version 6.15.10 or later?? But, if an upgrade is necessary for "Enterprise" release 7.4 is the appropriate recommendation?

What is the download link for 6.15.10?

Hi Willie - what version are you running currently?

If it's 7.something, then 6.15.10 would not be an upgrade you can do. I'll provide a download link once we know what version you're currently on - I want to make sure you get the right version recommendation :)