Newbie here involved in my first Confluence deployment for a very large US company. Please be gentle.
We recently downloaded and installed the 3.5.13 release of Confluence. Tomcat 6.0.32 was bundled with it. The head of IT Security at our company identified 4 security vulnerabilities with that release of Tomcat. 3 of these are fixed in Tomcat 6.0.33. The other and most critical one is CVE-2011-3190. This vulnerability looks to be addressed in a "not-yet-released" version of Tomcat 6.0.34. So the fact that a specific release of Tomcat was bundled with Confluence raises some questions about if and when we apply patches or upgrades to Tomcat:
I need to provide our Security Leader assurances that we will be able to address these vulnerabilities in a timely manner, so any insight anyone has or can point me to is greatly appreciated.
We do release updates for Confluence if we need to upgrade the version of Tomcat shipped with standalone for security reasons - bugfix releases for Confluence are generally released every 2-3 weeks. If you ever have questions about specific versions of Confluence and/or Tomcat, you can raise a support request to discuss details with us.
The issue you linked to looks like it relates to the Tomcat AJP connector, which is not used in the standalone version of Confluence by default.
Thanks, Joseph. As it turns out, we are also using the SharePoint Connector with IWA which requires the AJP connector (click here to see that documentation). So to us, the security issue is very relevent.
In any case, I take it that I can apply the 6.0.33 release of Tomcat now and the 6.0.34 release of Tomcat later without expecting big problems. We figured that, but the documentation on the Supported Platform page is a bit ambigious. Note that is says for Tomcat: "5.5.20 - 6.0", not "5.5.20 - 6.0.x".
Confluence is a standard web-application which you can try to run in any application server you want. It doesn't have to be run in Tomcat at all, let alone a specific version.
Confluence "standalone" is simply a bunde of Confluence, Tomcat and a database server which are known to work well, and Atlassian do release quick updates to it if Tomcat needs a security update, but there should be no problem with using later versions of Tomcat with the current version of Confluence.
Of course, it's a little more complex though. Confluence standalone is great for getting up and running quickly, but most large users don't use standalone - they use the WAR version with their own Tomcat/other-app-server. None of my current clients are using the bundled version of Tomcat for assorted reasons.
All I can really recommend when it comes to specific versions is that you upgrade/patch a test system and see how well it works. I expect you'll be absolutely fine!
Do you use templates with Confluence? Take part in a remote 1-hr workshop. You'll receive USD $100 for your time! We're looking for people to participate in a remote 1-hr workshop...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs