It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

What version of Tomcat is packaged with confluence-7.3.4?

We recently upgraded to confluence 7.3.2, which includes Tomcat 9.0.27.

Our Nessus security scans pick up on this and report issues related to CVE-2019-17569, CVE-2020-1935, and CVE-2020-1938 which are all fixed on Tomcat 9.0.31.

4 answers

1 accepted

0 votes
Answer accepted

Thanks guys.  I ended up installing a test instance.  Once that was in place I was able to use CATALINA_HOME/bin/version.sh to report the tomcat version, among other things.

 

confluence@hostname:/wiki> confluence-7.3.4/bin/version.sh
If you encounter issues starting up Confluence, please see the Installation guide at http://confluence.atlassian.com/display/DOC/Confluence+Installation+Guide

Server startup logs are located in /wiki/confluence-7.3.4/logs/catalina.out
---------------------------------------------------------------------------
Using Java: /usr/local/java/openjdk1.8.0_242/jre//bin/java
2020-03-27 08:13:48,152 INFO [main] [atlassian.confluence.bootstrap.SynchronyProxyWatchdog] A Context element for ${confluence.context.path}/synchrony-proxy is found in /wiki/confluence-7.3.4/conf/server.xml. No further action is required
---------------------------------------------------------------------------
Using CATALINA_BASE: /wiki/confluence-7.3.4
Using CATALINA_HOME: /wiki/confluence-7.3.4
Using CATALINA_TMPDIR: /wiki/confluence-7.3.4/temp
Using JRE_HOME: /usr/local/java/openjdk1.8.0_242/jre/
Using CLASSPATH: /wiki/confluence-7.3.4/bin/bootstrap.jar:/wiki/confluence-7.3.4/bin/tomcat-juli.jar
Using CATALINA_PID: /wiki/confluence-7.3.4/work/catalina.pid
Server version: Apache Tomcat/9.0.33
Server built: Mar 11 2020 09:31:38 UTC
Server number: 9.0.33.0
OS Name: Linux
OS Version: 3.10.0-1062.12.1.el7.x86_64
Architecture: amd64
JVM Version: 1.8.0_242-b08
JVM Vendor: AdoptOpenJDK

@Rusty_Rusty   To check  Tomcat version go to General configuration > System information  > Java Runtime Environment > Application Server 

you will find it there  but you should be Confluence Admin

Thanks @Moses Thomas but I'd like to know before installing.  I'd prefer to hold off on another upgrade until a version is available that I know resolves the issue.

The release notes will generally list if a newer version of Tomcat has been shipped with a particular version of the application.

In this case however, there is an open issue tracking CVE-2020-1938 specifically. 

Thanks Gareth.  The only reference I could find to Tomcat in the release notes was in those for version 6.10 which references using Tomcat 9.

So nothing really specific there that I could find, but it's certainly possible that I'm just missing it.

I wanted to check the current Enterprise release of confluence, 6.13.11 which appears to still have vulnerable version 9.0.22:

(downloaded tar.gz and unbundled in temp directory)

 

java -cp atlassian-confluence-6.13.11/lib/catalina.jar org.apache.catalina.util.ServerInfo

Server version: Apache Tomcat/9.0.22
Server built:   Jul 4 2019 14:20:06 UTC
Server number:  9.0.22.0
OS Name:        Linux
OS Version:     2.6.32-754.28.1.el6.x86_64
Architecture:   amd64
JVM Version:    1.8.0_241-b26
JVM Vendor:     Oracle Corporation

I don't have that version handy, but based on your post it certainly appears to be running the vulnerable tomcat.

I think confluence 7.3.4 is the only version that includes a Tomcat build with fixes for CVE-2019-17569, CVE-2020-1935, and CVE-2020-1938.

Also, regarding 6.13.11, it appears that EOL is Dec 4, 2020, so you'll only get 8 month before you're out of support on that version.

Thanks!  We are following the Enterprise release which is going to jump to v7 when 7.4.x is released (soon?), but is currently 6.13.x

https://confluence.atlassian.com/enterprise/atlassian-enterprise-releases-948227420.html

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
SERVER
TAGS
Community showcase
Posted in Confluence

Lessons and Learnings: Six Months of Working Remote [Discussion]

Hey there, folks! For most of us, the past six months- yes, you read that right- have been a journey. More people than ever before have pivoted to working remotely, and navigating being on-scre...

8,466 views 6 6
Join discussion

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you