Missed Team ’24? Catch up on announcements here.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Workaround for CVE-2022-26134 and LTS 7.13.x

DWedekind
DWedekind June 7, 2022

Does this workaround also applies to LTS 7.13.5 although only version >7.15 are mentioned?

 

Mitigation

If you are unable to upgrade Confluence immediately, then as a temporary workaround, you can mitigate the CVE-2022-26134 issue by updating the following files for the specific version of the product.


For Confluence 7.15.0 - 7.18.0

If you run Confluence in a cluster, you will need to repeat this process on each node. You don't need to shut down the whole cluster to apply this mitigation. 

  1. Shut down Confluence.
     

  2. Download the following 1 file to the Confluence server:

  3. Delete (or move the following JAR outside of the Confluence install directory):

    <confluence-install>/confluence/WEB-INF/lib/xwork-1.0.3-atlassian-8.jar

    (warning) Do not leave a copy of this old JAR in the directory.
     

  4. Copy the downloaded xwork-1.0.3-atlassian-10.jar into <confluence-install>/confluence/WEB-INF/lib/
     

  5. Check the permissions and ownership on the new xwork-1.0.3-atlassian-10.jar file matches the existing files in the same directory.
     

  6. Start Confluence.

Answer
Watch
Like Be the first to like this
674 views

1 answer

1 accepted

0 votes
Answer accepted
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 7, 2022

There are different workarounds steps depending on your version.  Those are the steps for 7.15 and higher versions.  But the advisory also contains a different workaround steps for 7.0.0 - 7.14.x versions.  Search for the phrase

For Confluence 7.0.0 - Confluence 7.14.2

and you will find slightly different mitigation steps for those versions.

View More Comments
Venkata Mangipudi
Venkata Mangipudi June 7, 2022

Hi @Andy Heinzer we are using Confluence Server v. 7.4.11. 
I have followed mitigation steps under "For Confluence 7.0.0 - Confluence 7.14.2". 

After copying these files in respective directories, confluence app is not loading. Getting some errors in Catalina.out and atlassian-confluence.log. 

Shall I open another case for it ? or could you help me?

Like
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 7, 2022

@Venkata Mangipudi Please create a technical support request by visiting https://support.atlassian.com/contact/ I recommend that you have a billing or technical contact of your Confluence server license open a support case.  Otherwise users that are not listed within the SEN could be redirected back here to Community.

For startup problems like you have mentioned, it is important for our support teams to be able to gather those logs to help here.

Like
Venkata Mangipudi
Venkata Mangipudi June 7, 2022

Will do that. Thanks Andy

Like
DWedekind
DWedekind June 9, 2022

@Andy Heinzer Thanks for your reply. Sorry, I have read over this :-(

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
DEPLOYMENT TYPE
SERVER
VERSION
7.13.5
TAGS
AUG Leaders

Atlassian Community Events

    See all events