You're on your way to the next level! Join the Kudos program to earn points and save your progress.
Level 1: Seed
25 / 150 points
1 badge earned
Challenges come and go, but your rewards stay with you. Do more to earn more!
What goes around comes around! Share the love by gifting kudos to your peers.
Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!
Join now to unlock these features and more
I need to fix CVE-2023-22518 on my confluence server, but our license expired, and not compatible with recommended versions, 7.19.16 etc.
What I can do?
Hi @Игорь Кувшинников ,
Apply temporary mitigations if unable to patch
1. This is possible at the network layer or by making the following changes to Confluence configuration files.
On each node, modify
/<confluence-install-dir>/confluence/WEB-INF/web.xml and add the following block of code (just before the
</web-app> tag at the end of the file):
<security-constraint> <web-resource-collection> <url-pattern>/json/setup-restore.action</url-pattern> <url-pattern>/json/setup-restore-local.action</url-pattern> <url-pattern>/json/setup-restore-progress.action</url-pattern> <http-method-omission>*</http-method-omission> </web-resource-collection> <auth-constraint /> </security-constraint>
2. Restart Confluence.
Note: These mitigation actions are limited and not a replacement for patching your instance; you must patch as soon as possible
We are in the same situation here.
When I tried to apply this patch, we are getting below error message
2023-11-14 11:55:10,319 ERROR [Catalina-utility-1] [ContainerBase.[Standalone].[localhost].[/]] log For security constraints with URL pattern [/json/setup-restore.action] the HTTP methods [*] are uncovered. ││ 2023-11-14 11:55:10,324 ERROR [Catalina-utility-1] [ContainerBase.[Standalone].[localhost].[/]] log For security constraints with URL pattern [/json/setup-restore-progress.action] the HTTP methods [*] are uncovered. ││ 2023-11-14 11:55:10,324 ERROR [Catalina-utility-1] [ContainerBase.[Standalone].[localhost].[/]] log For security constraints with URL pattern [/json/setup-restore-local.action] the HTTP methods [*] are uncovered.
Any idea on this please?