Do I have to update JRE or Confluence for security?

Hi there,

Excuse my potential noobness as I could be way off the mark here and don't mean to be alarmist.

Our confluence 4.1 installation runs off JRE 1.6.0 update 26 (Not sure if bundled with previous confluence or 4.1). Oracle have posted two critical security patches for Java SE (JDK & JRE) since then. Here is one:

Could confluence be an attack vector or at risk? Can I update the JRE version without breaking confluence 4.1 on my linux box? Should I update? If I update confluence to 4.2, with the new JRE be bundled with it?




2 answers

Hello Morgan,

basically : YES you should

Why ? First of all: ANYthing, facing the internet, can be a risk. If confluence is reachable from the internet, people can try to break in to wreck havoc. The decision to "not update" the securityrelevant updates is yours alone. Its the classical dilemma of updating vs. breaking something.

IF you want to update, you really really really really should have a clone of your productions site on a VM or other, do the update there, run your regressiontests (a checklist with all important things, that MUST work for your site to be operable, including tiny but important macros like for instance the Adaptavist Theme Builder macro "import" on my site). If all checks out well enough to let customers see it, update. Otherwise, fix it ASAP.

"Why the hell, its only the "backwater Poodle Club" homepage, there is no important data on it?" Because even then, they could use your system to spread malware to innocent surfers , who visit your site or distribute illegal content through your server, making you pay for their bandwith.

So Java and Linux securityupdates - Yes, but test it.

Plugin-Updates inside Confluence (via the Plugin Manager) - Yes, and test it

About Updating from 4.1 to 4.2: check the releasenotes, wether securityrelevant bugfixes are included in 4.2, which are not included in updates for 4.1 (single plugins for instance). That might be security related, but usually the versionchange would be triggered by business- or featuretreasons. Read and judge and test,test,test.

Updating linux: Thats a matter of trust. Do you trust your distribution to push out welltested security relevat updates or not. If not - do you want to test your complete system anytime you update linux ? Or woudl you rather move to another linux (no niche player, one of the major ones: ubuntu/debian, redhat, suse, (and others out there))

Regarding your last question: For a production site, you should not use the "bundled" package. Set it up via EAR deployment. Do this for following reasons:

* Updating Tomcat, Java, Database and Linux should be done independently from updating confluence

* thats it : Imagine you hold back an important security fix in tomcat or java just because the "checklists" macro does not run on Confluence 4.5.27 like you need it - and they break into your system. That can not happen as fast, if you use your linux-update-funtions to update tomcat and java.

Regards, Josch

Thanks mate! You answered my question and more.


As far as I understand, the recent Oracle's security advisories are concerned with client-side vulnerabilities. They are about what can happen when you ran an applet in your browser from a malicious web site. I am not 100% sure - there are not many details in those advisories.

What you should update first is Confluence itself (unrelated to the Oracle advisory) - there are constant security improvements in slmost all releases. Then you need to update Java on your desktop computer (as a result of the advisory). Only then you are in a position to start thinking about upgrading server JRE, middleware, and OS.



Hi Vitaly,
are you saying 4.0 or 4.1 - or worse - 3.5 - with plugin updates are less secure than 4.2 ?

Regards, Josch


It is best if you keep track of our advisories at

and subscribe to the technical alerts in to receive all updates about any security fixes.



Suggest an answer

Log in or Sign up to answer
Community showcase
Published Mar 12, 2019 in Confluence

Confluence Admin Certification now $150 for Community Members

More and more people are building their careers with Atlassian, and we want you to be at the front of this wave! Important Dates Start the Certification Prep Course by 2 April 2019 Take your e...

259 views 2 10
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you