Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Upgrate to Apache Tomcat 9.0.43 or later

Mahdi Challouf
Mahdi Challouf
Contributor
June 30, 2021

One of our clients has a security concern using the default installed version of Apache Tomcat that comes with Confluence 7.4.9 he said it's affected by multiple vulnerabilities as referenced in the vendor advisory and he's suggesting to upgrade to Apache Tomcat 9.0.43 or later, the same should be done for both Jira 8.13.8 and Confluence, any advice, please?

I did some research and I find that this could have an impact on the official support so when are you planning on supporting officially Tomcat 9?

Answer
Watch
Like Imdad Kottapparamban likes this
1075 views

1 answer

1 accepted

1 vote
Answer accepted
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 30, 2021

Your Atlassian systems are only supported on the Tomcats that they are bundled with.  If you rip them out and deploy the applications into another Tomcat (which is not easy), you render yourself unsupported, and there's a good chance upgrades will not work at all.

I would recommend waiting until there is a long-term-support version bundled with your preferred (or higher) version of Tomcat and upgrade to that.

View More Comments
Mahdi Challouf
Mahdi Challouf
Contributor
June 30, 2021

Understood, Thank you Nic, and how about an LTS they suggest enabling support only for TLS 1.2 and 1.3 and disabling the default one which is TLS 1.0 for security concerns, advise, please?

Like
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 30, 2021

Well, I usually stick it behind a proxy and do the SSL stuff there, but yes, you can disable TLS in Tomcat if you are still using it directly, and this is fully supported

I think it's actually already disabled in more recent versions, so a plain install or upgrade will do it automatically.

Check the server.xml for the word "protocol", you'll find references to all supported protocols.  Remove the TLS1.0 and 1.1 references and restart Confluence and Jira.

Like
Mahdi Challouf
Mahdi Challouf
Contributor
July 2, 2021

Hi Nic,

 

Sorry for the late response yes I was confirming with Atlassian the unsupported situation after upgrading the Tomcat it's confirmed and vulnerabilities have been fixed with the new Tomcat patches.

Regarding the TLS it can be managed at the proxy/load balancer level where the SSL terminates should not be configured at the Tomcat level and as they are using F5 it will be handled there.

 

Thank you

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events