Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,298,203
Community Members
 
Community Events
165
Community Groups

Workaround for CVE-2022-26134 and LTS 7.13.x

Does this workaround also applies to LTS 7.13.5 although only version >7.15 are mentioned?

 

Mitigation

If you are unable to upgrade Confluence immediately, then as a temporary workaround, you can mitigate the CVE-2022-26134 issue by updating the following files for the specific version of the product.


For Confluence 7.15.0 - 7.18.0

If you run Confluence in a cluster, you will need to repeat this process on each node. You don't need to shut down the whole cluster to apply this mitigation. 

  1. Shut down Confluence.
     

  2. Download the following 1 file to the Confluence server:

  3. Delete (or move the following JAR outside of the Confluence install directory):

    <confluence-install>/confluence/WEB-INF/lib/xwork-1.0.3-atlassian-8.jar

    (warning) Do not leave a copy of this old JAR in the directory.
     

  4. Copy the downloaded xwork-1.0.3-atlassian-10.jar into <confluence-install>/confluence/WEB-INF/lib/
     

  5. Check the permissions and ownership on the new xwork-1.0.3-atlassian-10.jar file matches the existing files in the same directory.
     

  6. Start Confluence.

1 answer

1 accepted

0 votes
Answer accepted
Andy Heinzer Atlassian Team Jun 07, 2022

There are different workarounds steps depending on your version.  Those are the steps for 7.15 and higher versions.  But the advisory also contains a different workaround steps for 7.0.0 - 7.14.x versions.  Search for the phrase

For Confluence 7.0.0 - Confluence 7.14.2

and you will find slightly different mitigation steps for those versions.

Hi @Andy Heinzer we are using Confluence Server v. 7.4.11. 
I have followed mitigation steps under "For Confluence 7.0.0 - Confluence 7.14.2". 

After copying these files in respective directories, confluence app is not loading. Getting some errors in Catalina.out and atlassian-confluence.log. 

Shall I open another case for it ? or could you help me?

Andy Heinzer Atlassian Team Jun 07, 2022

@Venkata Mangipudi Please create a technical support request by visiting https://support.atlassian.com/contact/ I recommend that you have a billing or technical contact of your Confluence server license open a support case.  Otherwise users that are not listed within the SEN could be redirected back here to Community.

For startup problems like you have mentioned, it is important for our support teams to be able to gather those logs to help here.

Will do that. Thanks Andy

@Andy Heinzer Thanks for your reply. Sorry, I have read over this :-(

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
SERVER
VERSION
7.13.5
TAGS
Community showcase
Published in Confluence

An update on Confluence Cloud customer feedback – June 2022

Hi everyone, We’re always looking at how to improve Confluence and customer feedback plays an important role in making sure we're investing in the areas that will bring the most value to the most c...

159 views 1 3
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you