Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Upgrate to Apache Tomcat 9.0.43 or later

One of our clients has a security concern using the default installed version of Apache Tomcat that comes with Confluence 7.4.9 he said it's affected by multiple vulnerabilities as referenced in the vendor advisory and he's suggesting to upgrade to Apache Tomcat 9.0.43 or later, the same should be done for both Jira 8.13.8 and Confluence, any advice, please?

I did some research and I find that this could have an impact on the official support so when are you planning on supporting officially Tomcat 9?

1 answer

1 vote

Your Atlassian systems are only supported on the Tomcats that they are bundled with.  If you rip them out and deploy the applications into another Tomcat (which is not easy), you render yourself unsupported, and there's a good chance upgrades will not work at all.

I would recommend waiting until there is a long-term-support version bundled with your preferred (or higher) version of Tomcat and upgrade to that.

Understood, Thank you Nic, and how about an LTS they suggest enabling support only for TLS 1.2 and 1.3 and disabling the default one which is TLS 1.0 for security concerns, advise, please?

Well, I usually stick it behind a proxy and do the SSL stuff there, but yes, you can disable TLS in Tomcat if you are still using it directly, and this is fully supported

I think it's actually already disabled in more recent versions, so a plain install or upgrade will do it automatically.

Check the server.xml for the word "protocol", you'll find references to all supported protocols.  Remove the TLS1.0 and 1.1 references and restart Confluence and Jira.

Hi Nic,

 

Sorry for the late response yes I was confirming with Atlassian the unsupported situation after upgrading the Tomcat it's confirmed and vulnerabilities have been fixed with the new Tomcat patches.

Regarding the TLS it can be managed at the proxy/load balancer level where the SSL terminates should not be configured at the Tomcat level and as they are using F5 it will be handled there.

 

Thank you

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Confluence

🏑 Atlympic Event: Confluence

Hello Community!  Quick disclaimer: We are running a contest on Community (The Atlympics!) from July 23rd - August 8th of 2021. If you are interested in participating in this contest (prizes! ...

491 views 18 17
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you