How loosely-coupled is Confluence and Tomcat?

Hi Guys,

Newbie here involved in my first Confluence deployment for a very large US company. Please be gentle.

We recently downloaded and installed the 3.5.13 release of Confluence. Tomcat 6.0.32 was bundled with it. The head of IT Security at our company identified 4 security vulnerabilities with that release of Tomcat. 3 of these are fixed in Tomcat 6.0.33. The other and most critical one is CVE-2011-3190. This vulnerability looks to be addressed in a "not-yet-released" version of Tomcat 6.0.34. So the fact that a specific release of Tomcat was bundled with Confluence raises some questions about if and when we apply patches or upgrades to Tomcat:

  1. What is the risk (if any) I take if I apply a release update or patch to Tomcat without also upgrading Confluence? In other words, can I go to Tomcat 6.0.33 and then 6.0.34 independent of an increase in the Confluence 3.5 line?
  2. How fast does Atlassian typically turnaround a new release of Confluence to incorporate Tomcat release changes, especially when a critical security vulnerability is in play?

I need to provide our Security Leader assurances that we will be able to address these vulnerabilities in a timely manner, so any insight anyone has or can point me to is greatly appreciated.

2 answers

1 accepted

4 votes
Accepted answer
Joe Clark Atlassian Team Sep 25, 2011

We do release updates for Confluence if we need to upgrade the version of Tomcat shipped with standalone for security reasons - bugfix releases for Confluence are generally released every 2-3 weeks. If you ever have questions about specific versions of Confluence and/or Tomcat, you can raise a support request to discuss details with us.

The issue you linked to looks like it relates to the Tomcat AJP connector, which is not used in the standalone version of Confluence by default.

Thanks, Joseph. As it turns out, we are also using the SharePoint Connector with IWA which requires the AJP connector (click here to see that documentation). So to us, the security issue is very relevent.

In any case, I take it that I can apply the 6.0.33 release of Tomcat now and the 6.0.34 release of Tomcat later without expecting big problems. We figured that, but the documentation on the Supported Platform page is a bit ambigious. Note that is says for Tomcat: "5.5.20 - 6.0", not "5.5.20 - 6.0.x".

Joe Clark Atlassian Team Sep 26, 2011

Ah, no worries. :-) Yes, dropping in a point release of Tomcat should be easy-peasy.

I'll see if I can get that supported platforms page updated to fix the ambiguity.

4 votes

Confluence is a standard web-application which you can try to run in any application server you want. It doesn't have to be run in Tomcat at all, let alone a specific version.

Confluence "standalone" is simply a bunde of Confluence, Tomcat and a database server which are known to work well, and Atlassian do release quick updates to it if Tomcat needs a security update, but there should be no problem with using later versions of Tomcat with the current version of Confluence.

Of course, it's a little more complex though. Confluence standalone is great for getting up and running quickly, but most large users don't use standalone - they use the WAR version with their own Tomcat/other-app-server. None of my current clients are using the bundled version of Tomcat for assorted reasons.

All I can really recommend when it comes to specific versions is that you upgrade/patch a test system and see how well it works. I expect you'll be absolutely fine!

Thanks, Nic - very helpful!

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Feb 06, 2019 in Confluence

Try out the new editing experience

Hi team, I’m Avinoam, a product manager on Confluence Cloud, and today I’m really excited to let the Community know that all customers can now try out the new editing experience and see some of the ...

1,035 views 51 8
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you