According the FAQ question "What if a security problem is found in the bundled version of Tomcat?" at: https://confluence.atlassian.com/doc/end-of-support-announcements-for-confluence-210239673.html Atlassian states that "Our security team monitors vulnerabilities in all our dependencies, including Tomcat, and fixes continue to follow our Security Bugfix Policy."
However although new, patched, versions of Tomcat are included in new bundles of Confluence, no security advisories have been published or otherwise stated in the Release notes for at least the last year.
Only looking at this year, several important security vulnerabilities have been patched in Tomcat, including, but not limited to:
"By placing a carefully crafted object into a session, a malicious web application could trigger the execution of arbitrary code."
"[..] exposed sensitive information from other web applications, such as session IDs"
"[...] read and write data owned by other web applications."
Maybe I have misunderstood Atlassian's commitment to 3:rd party security issues?
Our Atlassian Expert partner alleges that Confluence is not affected by vulnerabilities in third party software, such as for example Tomcat or the Oracle JDK.
This is a strange point of view in my opinion and if true why does Atlassian bother to update, and hence patch vulnerabilities for, third party software in the bundle?
I might of course be wrong, and if so that would be a good day for security since then we do not have to patch anymore! :)
Atlassian aims to keep all third-party software used in our products and services up to date with the latest released versions. It is important to note that not all vulnerabilities in third party software affect Atlassian products and services. For example, CVE-2016-0714 is specifically about a flaw in Tomcat that allows an attacker to bypass intended SecurityManager restrictions, as our software currently does not use a security manager this issue does not affect our software.
The Atlassian security team monitors for vulnerabilities in our software's dependencies, including Tomcat, and fixes follow our Security Bugfix Policy. If our security team finds a vulnerability within any of our products caused by third-party software or otherwise, Atlassian addresses the issue based on our Security Bugfix Policy. If a vulnerability is of a critical severity, then we follow our Security Advisory Publishing Policy.
I totally agree with you regarding CVE handling, that's why I upvoted your issue. But: Seen pragmatic this tomcat is for Confluence only. It is not ment as a shared environment. So vuls ragarding "other (malicious) webapps" are - lets say less critical. But I don't know if that applies to the OSGI environment used by Confluence. Maybe a plugin can abuse those vulnerabilities.
Yes, I think we agree here. The issue is not a specific CVE, but the handling, and silently patching of vulnerabilities - without informing whether or not a thorough vulnerability assessment has been made of each CVE and if for that reason we as customers need to update to a new Confluence bundle.
Atlassian Summit is an excellent opportunity for in-person support, training, and networking.Learn more
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG