Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,295,106
Community Members
 
Community Events
165
Community Groups

CVE-2022-26134 not work for 7.1.1

I follow this security advisory, and update confluence by mitigation.

CVE-advisory 

I found my confluence instance still hacked by (kdevtmpfsi kinsing)

 

 

Confluence End Of Life versions are not fully tested with the workaround???

This is true?

2 answers

1 vote

Hi @hongjiangli ,

 

as Confluence has published in it's Advisory, that's true.

https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html

And that is, what End Of Life means, Atlassian does not support that versions any more. If you want to get Fixes / Support, you need to be running a supported version of the applications.

0 votes
Andy Heinzer Atlassian Team Jun 13, 2022

The mitigation steps have been tested for 6.0.0 and higher versions.  However there are different mitigation steps for 7.15.0 and higher versions when compared to 7.14.2 and lower versions.   The older versions require additional mitigation steps when compared to the more recent versions.

Is it possible that you might have followed the steps for 7.15.0 and higher versions instead of the 6.0.0-7.14.2 mitigation steps?

Hi,Andy

     I find steps for 7.15.0 and higher versions include 6.0.0-7.14.2 mitigation steps.

the difference is one patch file:

       xwork-1.0.3-atlassian-10.jar

and three patch files

         xwork-1.0.3-atlassian-10.jar

         webwork-2.1.5-atlassian-4.jar

         CachedConfigurationProvider.class

thanks,

license is EOL,we just want to fix

Andy Heinzer Atlassian Team Jun 14, 2022

Yes the workaround for older versions has additional steps, is what I was trying to point out.  The mitigation steps though are only intended to prevent being exploited by that specific CVE until you can upgrade.

There are also two other additional security advisories out there that affect 7.1.1, please see:

Being that there are other known CVEs for that version, and that version is EOL as well, it is possible that you could be getting exploited by a different CVE entirely here. 

Because of that, I would recommend that you upgrade to a supported version such as 7.13.7 that contains fixes for all of these CVEs.  You can renew a previous server license by going to https://my.atlassian.com or creating an evaluation license there that will work for 30 days, which should be long enough to complete the upgrade at least.

Like hongjiangli likes this

Andy

"Because of that, I would recommend that you upgrade to a supported version such as 7.13.7 that contains fixes for all of these CVEs.  You can renew a previous server license by going to https://my.atlassian.com or creating an evaluation license there that will work for 30 days, which should be long enough to complete the upgrade at least."

-- If I create an evaluation license and  upgrade to 7.13.7, after 30 days, can I still use old license to support basic service?

Of course, I would like to upgrade, I afraid the service would stop if I do not renew license after upgrade.

 

Thanks

 

LEON

Andy Heinzer Atlassian Team Jun 14, 2022

If I create an evaluation license and upgrade to 7.13.7, after 30 days, can I still use old license to support basic service?

No, the terms of your expired server license only allow you to use version releases before that license expired.  You won't be able to apply your old license to a newer version. The ability to upgrade is part of having an existing valid license applied to the system.  The evaluation licenses are the quick way to get a valid license so that you can do the upgrade itself. 

If the cost of a new license is a limitation to upgrading here, then I'd recommend reaching out to an Atlassian Partner, located within your country.  Ask that partner for a quote on a new Confluence Data Center license for your user level. It might be possible to obtain a discounted license depending on your organization details and the locations of your users.

Like hongjiangli likes this

Andy

Thanks for your explanation.

I find my instance missed this advisory , I have fixed it and wait to check.

 

LEON

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Confluence

Confluence: Where work and wellness meet

Feeling overwhelmed by the demands of work and life? With a 25% increase in the prevalence of anxiety and depression worldwide during the pandemic, for most of us, it’s a resounding yes . 🙋‍♀️ ...

863 views 11 26
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you