Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Interests
See all
Community resources
Top groups
Explore all groups
Community resources

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Get started Tell me more
Atlassian Community about banner
4,297,063
Community Members
 
Community Events
165
Community Groups

Workaround for CVE-2022-26134 - Windows version

Edited
Markus Sveinn Markusson
Markus Sveinn Markusson Jun 10, 2022

Confluence Windows version 7.7.2.

The workaround suggested by Atlassian includes the replacement of three files, 

xwork-1.0.3-atlassian-10.jar
webwork-2.1.5-atlassian-4.jar
CachedConfigurationProvider.class

None of these files can be found in the Confluence directory tree.

Does this vulnerability apply to the Windows version, and if so, what would be the correct workaround?

 

Answer
Watch
Like Be the first to like this
114 views

1 answer

1 accepted

3 votes
Answer accepted
Andy Heinzer
Andy Heinzer Atlassian Team Jun 10, 2022

Yes this vulnerability applies to Windows editions as well.  The files you mentioned are the replacement files.  Not the files that are currently on your system.  You need to download those specific files you mentioned from the Advisory itself.  Then remove the existing files with similar (but not exactly the same names).  Then copy in the downloaded files to their appropriate locations.  If you cannot find this folder, you might want to search for the

WEB-INF

folder instead.  Two of the jar files will be found in the WEB-INF/lib/ directory.

View More Comments
Markus Sveinn Markusson
Markus Sveinn Markusson Jun 10, 2022

Thank you, Andy.

You are correct, the two .jar files have older version numbers, understandibly.

The CachedConfigurationProvider.class is nowhere to be found, though.

Regards,
Markus

Like
Andy Heinzer
Andy Heinzer Atlassian Team Jun 10, 2022

Yes, that is expected as well.  That .class file has to added to a separate directory.

 

  • Change to directory <confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup
     

    1. Create a new directory called webwork

    2. Copy CachedConfigurationProvider.class into <confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup/webwork

    3. Ensure the permissions and ownership are correct for:

      <confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup/webwork
      <confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup/webwork/CachedConfigurationProvider.class

 

Like
Markus Sveinn Markusson
Markus Sveinn Markusson Jun 13, 2022

Thank you very much, Andy. Workaround procedure completed.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
Community showcase
Meg Bailey
Meg Bailey
Published in Confluence

Confluence: Where work and wellness meet

Feeling overwhelmed by the demands of work and life? With a 25% increase in the prevalence of anxiety and depression worldwide during the pandemic, for most of us, it’s a resounding yes . 🙋‍♀️ ...

1,085 views 20 29
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you