Do I have to update JRE or Confluence for security?

Hi there,

Excuse my potential noobness as I could be way off the mark here and don't mean to be alarmist.

Our confluence 4.1 installation runs off JRE 1.6.0 update 26 (Not sure if bundled with previous confluence or 4.1). Oracle have posted two critical security patches for Java SE (JDK & JRE) since then. Here is one:
http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html

Could confluence be an attack vector or at risk? Can I update the JRE version without breaking confluence 4.1 on my linux box? Should I update? If I update confluence to 4.2, with the new JRE be bundled with it?

Thanks!

Regards,

Morgan

2 answers

Hello Morgan,

basically : YES you should

Why ? First of all: ANYthing, facing the internet, can be a risk. If confluence is reachable from the internet, people can try to break in to wreck havoc. The decision to "not update" the securityrelevant updates is yours alone. Its the classical dilemma of updating vs. breaking something.

IF you want to update, you really really really really should have a clone of your productions site on a VM or other, do the update there, run your regressiontests (a checklist with all important things, that MUST work for your site to be operable, including tiny but important macros like for instance the Adaptavist Theme Builder macro "import" on my site). If all checks out well enough to let customers see it, update. Otherwise, fix it ASAP.

"Why the hell, its only the "backwater Poodle Club" homepage, there is no important data on it?" Because even then, they could use your system to spread malware to innocent surfers , who visit your site or distribute illegal content through your server, making you pay for their bandwith.

So Java and Linux securityupdates - Yes, but test it.

Plugin-Updates inside Confluence (via the Plugin Manager) - Yes, and test it

About Updating from 4.1 to 4.2: check the releasenotes, wether securityrelevant bugfixes are included in 4.2, which are not included in updates for 4.1 (single plugins for instance). That might be security related, but usually the versionchange would be triggered by business- or featuretreasons. Read and judge and test,test,test.

Updating linux: Thats a matter of trust. Do you trust your distribution to push out welltested security relevat updates or not. If not - do you want to test your complete system anytime you update linux ? Or woudl you rather move to another linux (no niche player, one of the major ones: ubuntu/debian, redhat, suse, (and others out there))

Regarding your last question: For a production site, you should not use the "bundled" package. Set it up via EAR deployment. Do this for following reasons:

* Updating Tomcat, Java, Database and Linux should be done independently from updating confluence

* thats it : Imagine you hold back an important security fix in tomcat or java just because the "checklists" macro does not run on Confluence 4.5.27 like you need it - and they break into your system. That can not happen as fast, if you use your linux-update-funtions to update tomcat and java.

Regards, Josch

Thanks mate! You answered my question and more.

Morgan,

As far as I understand, the recent Oracle's security advisories are concerned with client-side vulnerabilities. They are about what can happen when you ran an applet in your browser from a malicious web site. I am not 100% sure - there are not many details in those advisories.

What you should update first is Confluence itself (unrelated to the Oracle advisory) - there are constant security improvements in slmost all releases. Then you need to update Java on your desktop computer (as a result of the advisory). Only then you are in a position to start thinking about upgrading server JRE, middleware, and OS.

Regards,

Vitaly

Hi Vitaly,
are you saying 4.0 or 4.1 - or worse - 3.5 - with plugin updates are less secure than 4.2 ?

Regards, Josch

Josch,

It is best if you keep track of our advisories at http://confluence.atlassian.com/display/DOC/Confluence+Security

and subscribe to the technical alerts in http://my.atlassian.com to receive all updates about any security fixes.

Regards,

Vitaly

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Dec 10, 2018 in Confluence

Organizing your space just got easier - Page Tree Drag & Drop is here

Hi Community! I’m Elaine, Confluence Product Manager. You may have read my earlier post about page tree in space navigation sidebar. I'm excited to share another improvement that helps you organize ...

203 views 6 7
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you