Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

What version of Tomcat is packaged with confluence-7.3.4?

Rusty Rusty
Rusty Rusty March 26, 2020

We recently upgraded to confluence 7.3.2, which includes Tomcat 9.0.27.

Our Nessus security scans pick up on this and report issues related to CVE-2019-17569, CVE-2020-1935, and CVE-2020-1938 which are all fixed on Tomcat 9.0.31.

Answer
Watch
Like Be the first to like this
1882 views

4 answers

1 accepted

0 votes
Answer accepted
Rusty Rusty
Rusty Rusty March 27, 2020

Thanks guys.  I ended up installing a test instance.  Once that was in place I was able to use CATALINA_HOME/bin/version.sh to report the tomcat version, among other things.

 

confluence@hostname:/wiki> confluence-7.3.4/bin/version.sh
If you encounter issues starting up Confluence, please see the Installation guide at http://confluence.atlassian.com/display/DOC/Confluence+Installation+Guide

Server startup logs are located in /wiki/confluence-7.3.4/logs/catalina.out
---------------------------------------------------------------------------
Using Java: /usr/local/java/openjdk1.8.0_242/jre//bin/java
2020-03-27 08:13:48,152 INFO [main] [atlassian.confluence.bootstrap.SynchronyProxyWatchdog] A Context element for ${confluence.context.path}/synchrony-proxy is found in /wiki/confluence-7.3.4/conf/server.xml. No further action is required
---------------------------------------------------------------------------
Using CATALINA_BASE: /wiki/confluence-7.3.4
Using CATALINA_HOME: /wiki/confluence-7.3.4
Using CATALINA_TMPDIR: /wiki/confluence-7.3.4/temp
Using JRE_HOME: /usr/local/java/openjdk1.8.0_242/jre/
Using CLASSPATH: /wiki/confluence-7.3.4/bin/bootstrap.jar:/wiki/confluence-7.3.4/bin/tomcat-juli.jar
Using CATALINA_PID: /wiki/confluence-7.3.4/work/catalina.pid
Server version: Apache Tomcat/9.0.33
Server built: Mar 11 2020 09:31:38 UTC
Server number: 9.0.33.0
OS Name: Linux
OS Version: 3.10.0-1062.12.1.el7.x86_64
Architecture: amd64
JVM Version: 1.8.0_242-b08
JVM Vendor: AdoptOpenJDK

Reply
0 votes
Chuck Solie
Chuck Solie April 7, 2020

I wanted to check the current Enterprise release of confluence, 6.13.11 which appears to still have vulnerable version 9.0.22:

(downloaded tar.gz and unbundled in temp directory)

 

java -cp atlassian-confluence-6.13.11/lib/catalina.jar org.apache.catalina.util.ServerInfo

Server version: Apache Tomcat/9.0.22
Server built:   Jul 4 2019 14:20:06 UTC
Server number:  9.0.22.0
OS Name:        Linux
OS Version:     2.6.32-754.28.1.el6.x86_64
Architecture:   amd64
JVM Version:    1.8.0_241-b26
JVM Vendor:     Oracle Corporation
View More Comments
Rusty Rusty
Rusty Rusty April 7, 2020

I don't have that version handy, but based on your post it certainly appears to be running the vulnerable tomcat.

I think confluence 7.3.4 is the only version that includes a Tomcat build with fixes for CVE-2019-17569, CVE-2020-1935, and CVE-2020-1938.

Also, regarding 6.13.11, it appears that EOL is Dec 4, 2020, so you'll only get 8 month before you're out of support on that version.

Like
Chuck Solie
Chuck Solie April 7, 2020

Thanks!  We are following the Enterprise release which is going to jump to v7 when 7.4.x is released (soon?), but is currently 6.13.x

https://confluence.atlassian.com/enterprise/atlassian-enterprise-releases-948227420.html

Like
Reply
0 votes
Gareth Cantrell
Gareth Cantrell
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 26, 2020

The release notes will generally list if a newer version of Tomcat has been shipped with a particular version of the application.

In this case however, there is an open issue tracking CVE-2020-1938 specifically. 

View More Comments
Rusty Rusty
Rusty Rusty March 27, 2020

Thanks Gareth.  The only reference I could find to Tomcat in the release notes was in those for version 6.10 which references using Tomcat 9.

So nothing really specific there that I could find, but it's certainly possible that I'm just missing it.

Like
Reply
0 votes
Moses Thomas
Moses Thomas
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
March 26, 2020

@Rusty Rusty   To check  Tomcat version go to General configuration > System information  > Java Runtime Environment > Application Server 

you will find it there  but you should be Confluence Admin

View More Comments
Rusty Rusty
Rusty Rusty March 26, 2020

Thanks @Moses Thomas but I'd like to know before installing.  I'd prefer to hold off on another upgrade until a version is available that I know resolves the issue.

Like
Moses Thomas
Moses Thomas
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
March 26, 2020

@Rusty Rusty   OK see here how-to-determine-your-version-of-Tomcat-and-Java 

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
DEPLOYMENT TYPE
SERVER
TAGS
AUG Leaders

Atlassian Community Events

    See all events