How to fix warning "Security framework of XStream" in catalina.out log?

rporteric
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
October 9, 2020

Our catalina.out log is flooded with warnings about the "security framework of XStream".  Does anyone know how to fix or remove the warning message?

Security framework of XStream not initialized, XStream is probably vulnerable.
Security framework of XStream not initialized, XStream is probably vulnerable.
Security framework of XStream not initialized, XStream is probably vulnerable.
Security framework of XStream not initialized, XStream is probably vulnerable.
Security framework of XStream not initialized, XStream is probably vulnerable.
Security framework of XStream not initialized, XStream is probably vulnerable.
Security framework of XStream not initialized, XStream is probably vulnerable.
Security framework of XStream not initialized, XStream is probably vulnerable.
Security framework of XStream not initialized, XStream is probably vulnerable.

2 answers

1 accepted

0 votes
Answer accepted
Ganesh Gautam
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 19, 2021

@rporteric These errors are shown when XStream allowlist security system is not enabled in a product. This is enabled by calling the following code in the core:

XStream.setUpDefaultSecurity(xstream)

However, since it's a breaking change Confluence would be switching from blocklist to allowlist in a platform release. Till that time, it will be using blocklist mode.

Confluence allows admins to switch to allowlist mode by setting following JVM sysprop to true(but it has potential to break many plugins):

xstream.allowlist.enable

I expect similar thing in Jira.
Please note that XStream 1.5 is expected to default to this behaviour when released.

Thanks,

Ganesh

0 votes
Daniel Ebers
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
October 23, 2020

Hi rporteric,

welcome to the Atlassian Community!

This error message is well-known to me from a Bamboo installation but I have never encountered it on Jira.

I found a Suggestion regarding this error: https://jira.atlassian.com/browse/JRASERVER-71181
Unfortunately there is not much information about it. It could be helpful to "vote" for the issue using the link above. You can also watch the issue.

From what I observed the error does not stop the application from working correctly so far.

Cheers,
Daniel

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
SERVER
VERSION
8.5.3
TAGS
AUG Leaders

Atlassian Community Events