One of our clients has a security concern using the default installed version of Apache Tomcat that comes with Confluence 7.4.9 he said it's affected by multiple vulnerabilities as referenced in the vendor advisory and he's suggesting to upgrade to Apache Tomcat 9.0.43 or later, the same should be done for both Jira 8.13.8 and Confluence, any advice, please?
I did some research and I find that this could have an impact on the official support so when are you planning on supporting officially Tomcat 9?
Your Atlassian systems are only supported on the Tomcats that they are bundled with. If you rip them out and deploy the applications into another Tomcat (which is not easy), you render yourself unsupported, and there's a good chance upgrades will not work at all.
I would recommend waiting until there is a long-term-support version bundled with your preferred (or higher) version of Tomcat and upgrade to that.
Well, I usually stick it behind a proxy and do the SSL stuff there, but yes, you can disable TLS in Tomcat if you are still using it directly, and this is fully supported
I think it's actually already disabled in more recent versions, so a plain install or upgrade will do it automatically.
Check the server.xml for the word "protocol", you'll find references to all supported protocols. Remove the TLS1.0 and 1.1 references and restart Confluence and Jira.
Sorry for the late response yes I was confirming with Atlassian the unsupported situation after upgrading the Tomcat it's confirmed and vulnerabilities have been fixed with the new Tomcat patches.
Regarding the TLS it can be managed at the proxy/load balancer level where the SSL terminates should not be configured at the Tomcat level and as they are using F5 it will be handled there.
Hello Community! Quick disclaimer: We are running a contest on Community (The Atlympics!) from July 23rd - August 8th of 2021. If you are interested in participating in this contest (prizes! ...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events