Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

CVE-2022-26134 not work for 7.1.1

hongjiangli
hongjiangli June 13, 2022

I follow this security advisory, and update confluence by mitigation.

CVE-advisory 

I found my confluence instance still hacked by (kdevtmpfsi kinsing)

 

 

Confluence End Of Life versions are not fully tested with the workaround???

This is true?

Answer
Watch
Like rafael.medina likes this
312 views

2 answers

1 accepted

0 votes
Answer accepted
Atlassian recommended
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 13, 2022

The mitigation steps have been tested for 6.0.0 and higher versions.  However there are different mitigation steps for 7.15.0 and higher versions when compared to 7.14.2 and lower versions.   The older versions require additional mitigation steps when compared to the more recent versions.

Is it possible that you might have followed the steps for 7.15.0 and higher versions instead of the 6.0.0-7.14.2 mitigation steps?

View More Comments
hongjiangli
hongjiangli June 14, 2022

Hi,Andy

     I find steps for 7.15.0 and higher versions include 6.0.0-7.14.2 mitigation steps.

the difference is one patch file:

       xwork-1.0.3-atlassian-10.jar

and three patch files

         xwork-1.0.3-atlassian-10.jar

         webwork-2.1.5-atlassian-4.jar

         CachedConfigurationProvider.class

thanks,

license is EOL,we just want to fix

Like
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 14, 2022

Yes the workaround for older versions has additional steps, is what I was trying to point out.  The mitigation steps though are only intended to prevent being exploited by that specific CVE until you can upgrade.

There are also two other additional security advisories out there that affect 7.1.1, please see:

Being that there are other known CVEs for that version, and that version is EOL as well, it is possible that you could be getting exploited by a different CVE entirely here. 

Because of that, I would recommend that you upgrade to a supported version such as 7.13.7 that contains fixes for all of these CVEs.  You can renew a previous server license by going to https://my.atlassian.com or creating an evaluation license there that will work for 30 days, which should be long enough to complete the upgrade at least.

Like hongjiangli likes this
hongjiangli
hongjiangli June 14, 2022

Andy

"Because of that, I would recommend that you upgrade to a supported version such as 7.13.7 that contains fixes for all of these CVEs.  You can renew a previous server license by going to https://my.atlassian.com or creating an evaluation license there that will work for 30 days, which should be long enough to complete the upgrade at least."

-- If I create an evaluation license and  upgrade to 7.13.7, after 30 days, can I still use old license to support basic service?

Of course, I would like to upgrade, I afraid the service would stop if I do not renew license after upgrade.

 

Thanks

 

LEON

Like
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 14, 2022

If I create an evaluation license and upgrade to 7.13.7, after 30 days, can I still use old license to support basic service?

No, the terms of your expired server license only allow you to use version releases before that license expired.  You won't be able to apply your old license to a newer version. The ability to upgrade is part of having an existing valid license applied to the system.  The evaluation licenses are the quick way to get a valid license so that you can do the upgrade itself. 

If the cost of a new license is a limitation to upgrading here, then I'd recommend reaching out to an Atlassian Partner, located within your country.  Ask that partner for a quote on a new Confluence Data Center license for your user level. It might be possible to obtain a discounted license depending on your organization details and the locations of your users.

Like hongjiangli likes this
hongjiangli
hongjiangli June 14, 2022

Andy

Thanks for your explanation.

I find my instance missed this advisory , I have fixed it and wait to check.

 

LEON

Like
Reply
1 vote
Bastian Stehmann
Bastian Stehmann
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
June 13, 2022

Hi @hongjiangli ,

 

as Confluence has published in it's Advisory, that's true.

https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html

And that is, what End Of Life means, Atlassian does not support that versions any more. If you want to get Fixes / Support, you need to be running a supported version of the applications.

Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events