Do I have to update JRE or Confluence for security?

SSA IT April 17, 2012

Hi there,

Excuse my potential noobness as I could be way off the mark here and don't mean to be alarmist.

Our confluence 4.1 installation runs off JRE 1.6.0 update 26 (Not sure if bundled with previous confluence or 4.1). Oracle have posted two critical security patches for Java SE (JDK & JRE) since then. Here is one:
http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html

Could confluence be an attack vector or at risk? Can I update the JRE version without breaking confluence 4.1 on my linux box? Should I update? If I update confluence to 4.2, with the new JRE be bundled with it?

Thanks!

Regards,

Morgan

2 answers

1 vote
Joerg Bencke
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
April 17, 2012

Hello Morgan,

basically : YES you should

Why ? First of all: ANYthing, facing the internet, can be a risk. If confluence is reachable from the internet, people can try to break in to wreck havoc. The decision to "not update" the securityrelevant updates is yours alone. Its the classical dilemma of updating vs. breaking something.

IF you want to update, you really really really really should have a clone of your productions site on a VM or other, do the update there, run your regressiontests (a checklist with all important things, that MUST work for your site to be operable, including tiny but important macros like for instance the Adaptavist Theme Builder macro "import" on my site). If all checks out well enough to let customers see it, update. Otherwise, fix it ASAP.

"Why the hell, its only the "backwater Poodle Club" homepage, there is no important data on it?" Because even then, they could use your system to spread malware to innocent surfers , who visit your site or distribute illegal content through your server, making you pay for their bandwith.

So Java and Linux securityupdates - Yes, but test it.

Plugin-Updates inside Confluence (via the Plugin Manager) - Yes, and test it

About Updating from 4.1 to 4.2: check the releasenotes, wether securityrelevant bugfixes are included in 4.2, which are not included in updates for 4.1 (single plugins for instance). That might be security related, but usually the versionchange would be triggered by business- or featuretreasons. Read and judge and test,test,test.

Updating linux: Thats a matter of trust. Do you trust your distribution to push out welltested security relevat updates or not. If not - do you want to test your complete system anytime you update linux ? Or woudl you rather move to another linux (no niche player, one of the major ones: ubuntu/debian, redhat, suse, (and others out there))

Regarding your last question: For a production site, you should not use the "bundled" package. Set it up via EAR deployment. Do this for following reasons:

* Updating Tomcat, Java, Database and Linux should be done independently from updating confluence

* thats it : Imagine you hold back an important security fix in tomcat or java just because the "checklists" macro does not run on Confluence 4.5.27 like you need it - and they break into your system. That can not happen as fast, if you use your linux-update-funtions to update tomcat and java.

Regards, Josch

SSA IT April 18, 2012

Thanks mate! You answered my question and more.

0 votes
VitalyA April 18, 2012

Morgan,

As far as I understand, the recent Oracle's security advisories are concerned with client-side vulnerabilities. They are about what can happen when you ran an applet in your browser from a malicious web site. I am not 100% sure - there are not many details in those advisories.

What you should update first is Confluence itself (unrelated to the Oracle advisory) - there are constant security improvements in slmost all releases. Then you need to update Java on your desktop computer (as a result of the advisory). Only then you are in a position to start thinking about upgrading server JRE, middleware, and OS.

Regards,

Vitaly

Joerg Bencke
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
April 18, 2012

Hi Vitaly,
are you saying 4.0 or 4.1 - or worse - 3.5 - with plugin updates are less secure than 4.2 ?

Regards, Josch

VitalyA April 19, 2012

Josch,

It is best if you keep track of our advisories at http://confluence.atlassian.com/display/DOC/Confluence+Security

and subscribe to the technical alerts in http://my.atlassian.com to receive all updates about any security fixes.

Regards,

Vitaly

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events