Why are Tomcat CVEs in the Confluence bundle silently patched?


According the FAQ question "What if a security problem is found in the bundled version of Tomcat?" at: https://confluence.atlassian.com/doc/end-of-support-announcements-for-confluence-210239673.html Atlassian states that "Our security team monitors vulnerabilities in all our dependencies, including Tomcat, and fixes continue to follow our Security Bugfix Policy."

However although new, patched, versions of Tomcat are included in new bundles of Confluence, no security advisories have been published or otherwise stated in the Release notes for at least the last year.

Only looking at this year, several important security vulnerabilities have been patched in Tomcat, including, but not limited to:


"By placing a carefully crafted object into a session, a malicious web application could trigger the execution of arbitrary code."


"[..] exposed sensitive information from other web applications, such as session IDs"


"[...] read and write data owned by other web applications."

Source: https://tomcat.apache.org/security-8.html

Maybe I have misunderstood Atlassian's commitment to 3:rd party security issues?

Update 2016-08-11:

Our Atlassian Expert partner alleges that Confluence is not affected by vulnerabilities in third party software, such as for example Tomcat or the Oracle JDK.

This is a strange point of view in my opinion and if true why does Atlassian bother to update, and hence patch vulnerabilities for, third party software in the bundle?

I might of course be wrong, and if so that would be a good day for security since then we do not have to patch anymore! :)

3 answers

1 vote
David Black Atlassian Team Sep 13, 2016


Atlassian aims to keep all third-party software used in our products and services up to date with the latest released versions. It is important to note that not all vulnerabilities in third party software affect Atlassian products and services. For example, CVE-2016-0714 is specifically about a flaw in Tomcat that allows an attacker to bypass intended SecurityManager restrictions, as our software currently does not use a security manager this issue does not affect our software.

The Atlassian security team monitors for vulnerabilities in our software's dependencies, including Tomcat, and fixes follow our Security Bugfix Policy. If our security team finds a vulnerability within any of our products caused by third-party software or otherwise, Atlassian addresses the issue based on our Security Bugfix Policy. If a vulnerability is of a critical severity, then we follow our Security Advisory Publishing Policy.

I totally agree with you regarding CVE handling, that's why I upvoted your issue. But: Seen pragmatic this tomcat is for Confluence only. It is not ment as a shared environment. So vuls ragarding "other (malicious) webapps" are  - lets say less critical. But I don't know if that applies to the OSGI environment used by Confluence. Maybe a plugin can abuse those vulnerabilities.

Yes, I think we agree here. The issue is not a specific CVE, but the handling, and silently patching of vulnerabilities - without informing whether or not a thorough vulnerability assessment has been made of each CVE and if for that reason we as customers need to update to a new Confluence bundle.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Dec 18, 2018 in Confluence Cloud

Happy holidays from our team to yours!

Hi Community!  2018 was filled with changes for our team, both big and small, and we've taken a lot of time to both celebrate our wins and recognize areas of improvement. One thing that we're a...

476 views 3 18
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you