Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Workaround for CVE-2022-26134 and LTS 7.13.x

DWedekind
DWedekind
Contributor
June 7, 2022

Does this workaround also applies to LTS 7.13.5 although only version >7.15 are mentioned?

 

Mitigation

If you are unable to upgrade Confluence immediately, then as a temporary workaround, you can mitigate the CVE-2022-26134 issue by updating the following files for the specific version of the product.


For Confluence 7.15.0 - 7.18.0

If you run Confluence in a cluster, you will need to repeat this process on each node. You don't need to shut down the whole cluster to apply this mitigation. 

  1. Shut down Confluence.
     

  2. Download the following 1 file to the Confluence server:

  3. Delete (or move the following JAR outside of the Confluence install directory):

    <confluence-install>/confluence/WEB-INF/lib/xwork-1.0.3-atlassian-8.jar

    (warning) Do not leave a copy of this old JAR in the directory.
     

  4. Copy the downloaded xwork-1.0.3-atlassian-10.jar into <confluence-install>/confluence/WEB-INF/lib/
     

  5. Check the permissions and ownership on the new xwork-1.0.3-atlassian-10.jar file matches the existing files in the same directory.
     

  6. Start Confluence.

Answer
Watch
Like Be the first to like this
968 views

1 answer

1 accepted

0 votes
Answer accepted
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 7, 2022

There are different workarounds steps depending on your version.  Those are the steps for 7.15 and higher versions.  But the advisory also contains a different workaround steps for 7.0.0 - 7.14.x versions.  Search for the phrase

For Confluence 7.0.0 - Confluence 7.14.2

and you will find slightly different mitigation steps for those versions.

View More Comments
Venkata Mangipudi
Venkata Mangipudi June 7, 2022

Hi @Andy Heinzer we are using Confluence Server v. 7.4.11. 
I have followed mitigation steps under "For Confluence 7.0.0 - Confluence 7.14.2". 

After copying these files in respective directories, confluence app is not loading. Getting some errors in Catalina.out and atlassian-confluence.log. 

Shall I open another case for it ? or could you help me?

Like
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 7, 2022

@Venkata Mangipudi Please create a technical support request by visiting https://support.atlassian.com/contact/ I recommend that you have a billing or technical contact of your Confluence server license open a support case.  Otherwise users that are not listed within the SEN could be redirected back here to Community.

For startup problems like you have mentioned, it is important for our support teams to be able to gather those logs to help here.

Like
Venkata Mangipudi
Venkata Mangipudi June 7, 2022

Will do that. Thanks Andy

Like
DWedekind
DWedekind
Contributor
June 9, 2022

@Andy Heinzer Thanks for your reply. Sorry, I have read over this :-(

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
DEPLOYMENT TYPE
SERVER
VERSION
7.13.5
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.