Hi!
According the FAQ question "What if a security problem is found in the bundled version of Tomcat?" at: https://confluence.atlassian.com/doc/end-of-support-announcements-for-confluence-210239673.html Atlassian states that "Our security team monitors vulnerabilities in all our dependencies, including Tomcat, and fixes continue to follow our Security Bugfix Policy."
However although new, patched, versions of Tomcat are included in new bundles of Confluence, no security advisories have been published or otherwise stated in the Release notes for at least the last year.
Only looking at this year, several important security vulnerabilities have been patched in Tomcat, including, but not limited to:
CVE-2016-0714:
"By placing a carefully crafted object into a session, a malicious web application could trigger the execution of arbitrary code."
CVE-2016-0706:
"[..] exposed sensitive information from other web applications, such as session IDs"
CVE-2016-0763:
"[...] read and write data owned by other web applications."
Source: https://tomcat.apache.org/security-8.html
Maybe I have misunderstood Atlassian's commitment to 3:rd party security issues?
Update 2016-08-11:
Our Atlassian Expert partner alleges that Confluence is not affected by vulnerabilities in third party software, such as for example Tomcat or the Oracle JDK.
This is a strange point of view in my opinion and if true why does Atlassian bother to update, and hence patch vulnerabilities for, third party software in the bundle?
I might of course be wrong, and if so that would be a good day for security since then we do not have to patch anymore! :)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.