Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Workaround for CVE-2022-26134 - Windows version

Markus Sveinn Markusson
Markus Sveinn Markusson June 10, 2022

Confluence Windows version 7.7.2.

The workaround suggested by Atlassian includes the replacement of three files, 

xwork-1.0.3-atlassian-10.jar
webwork-2.1.5-atlassian-4.jar
CachedConfigurationProvider.class

None of these files can be found in the Confluence directory tree.

Does this vulnerability apply to the Windows version, and if so, what would be the correct workaround?

 

Answer
Watch
Like Be the first to like this
624 views

1 answer

1 accepted

3 votes
Answer accepted
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 10, 2022

Yes this vulnerability applies to Windows editions as well.  The files you mentioned are the replacement files.  Not the files that are currently on your system.  You need to download those specific files you mentioned from the Advisory itself.  Then remove the existing files with similar (but not exactly the same names).  Then copy in the downloaded files to their appropriate locations.  If you cannot find this folder, you might want to search for the

WEB-INF

folder instead.  Two of the jar files will be found in the WEB-INF/lib/ directory.

View More Comments
Markus Sveinn Markusson
Markus Sveinn Markusson June 10, 2022

Thank you, Andy.

You are correct, the two .jar files have older version numbers, understandibly.

The CachedConfigurationProvider.class is nowhere to be found, though.

Regards,
Markus

Like
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 10, 2022

Yes, that is expected as well.  That .class file has to added to a separate directory.

 

  • Change to directory <confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup
     

    1. Create a new directory called webwork

    2. Copy CachedConfigurationProvider.class into <confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup/webwork

    3. Ensure the permissions and ownership are correct for:

      <confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup/webwork
      <confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup/webwork/CachedConfigurationProvider.class

 

Like
Markus Sveinn Markusson
Markus Sveinn Markusson June 13, 2022

Thank you very much, Andy. Workaround procedure completed.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.