[FOLIO-3327] Upgrade FOLIO Confluence to address new security vulnerability Created: 02/Nov/21  Updated: 07/Nov/21  Resolved: 07/Nov/21

Status: Closed
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Task Priority: P2
Reporter: John Malconian Assignee: Peter Murray
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Attachments: PNG File screenshot-1.png    
Sprint: DevOps Sprint 126
Development Team: FOLIO DevOps

 Description   

Atlassian has reported a new security vulnerability in Confluence that they have classified as "critical". https://confluence.atlassian.com/security/multiple-products-security-advisory-unrendered-unicode-bidirectional-override-characters-cve-2021-42574-1086419475.html?subid=1527911294&jobid=105251298&utm_campaign=multiple-products-advisory_november-2021_EML-11738&utm_medium=email&utm_source=alert-email

Will require upgrading Confluence to the latest fixed version.



 Comments   
Comment by Peter Murray [ 05/Nov/21 ]

Ah, nuts...I didn't see this until now.  Have you had a chance to look at it, Malc?  If not, I'll try to sneak it in this weekend.

 

Comment by John Malconian [ 05/Nov/21 ]

I haven't been able to get to this, this week, Peter Murray. I did upgrade FOLIO Jira, however, and I did spend some time renewing/upgrading all the Confluence plugins in preparation for the Confluence upgrade. If I'm not mistaken we should upgrade from 7.8.0 to 7.13.2 which is the latest LTS patch revision. Before shutting down Confluence and beginning the upgrade, the SSO for Atlassian Datacenter plugin should be disabled. It can be re-enabled and updated post-upgrade. If you don't get to the upgrade this weekend, I can do it early next week. Should be a fairly painless upgrade (famous last words).

Comment by John Malconian [ 05/Nov/21 ]

We should also use this opportunity to apply latest AL2 updates ( sudo yum update) and reboot the instance.

Comment by Peter Murray [ 07/Nov/21 ]

Restarted server, but Confluence crashed with an out-of-heap-space error.  Edited /opt/Confluence/bin/setenv.sh to raise both Xms and Xmx to "1536m" (both were at 1024m previously).

Now seeing:

2021-11-07 18:25:15,416 INFO [Catalina-utility-1] [confluence.upgrade.recovery.ConfluenceProgressMonitor] begin TABLE_DATA: [scheduler_run_details]
2021-11-07 18:25:59,813 WARN [C3P0PooledConnectionPoolManager[identityToken->2tam8rak1xtkx6qdrju30|10adf096]-AdminTaskTimer] [mchange.v2.async.ThreadPoolAsynchronousRunner] log com.mchange.v2.async.ThreadPoolAsynchronousRunner$DeadlockDetector@6306fb76 -- APPARENT DEADLOCK!!! Creating emergency threads for unassigned pending tasks!
2021-11-07 18:26:11,028 WARN [C3P0PooledConnectionPoolManager[identityToken->2tam8rak1xtkx6qdrju30|10adf096]-AdminTaskTimer] [mchange.v2.async.ThreadPoolAsynchronousRunner] log com.mchange.v2.async.ThreadPoolAsynchronousRunner$DeadlockDetector@6306fb76 -- APPARENT DEADLOCK!!! Complete Status:
	Managed Threads: 3
	Active Threads: 3
	Active Tasks:
		com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask@7802d438
			on thread: C3P0PooledConnectionPoolManager[identityToken->2tam8rak1xtkx6qdrju30|10adf096]-HelperThread-#0
		com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask@611e8af
			on thread: C3P0PooledConnectionPoolManager[identityToken->2tam8rak1xtkx6qdrju30|10adf096]-HelperThread-#1
		com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask@1a8e7f07
			on thread: C3P0PooledConnectionPoolManager[identityToken->2tam8rak1xtkx6qdrju30|10adf096]-HelperThread-#2
	Pending Tasks:
		com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask@6c4f2c25
		com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask@2829680
		com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask@bdf52ef
		com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask@62c062d4
		com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask@77fb44ad
		com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask@61dbea44
		com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask@106284ba
		com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask@71d582a0
		com.mchange.v2.resourcepool.BasicResourcePool$1RefurbishCheckinResourceTask@5ca66e1b
		com.mchange.v2.resourcepool.BasicResourcePool$1DestroyResourceTask@62912601
		com.mchange.v2.resourcepool.BasicResourcePool$1DestroyResourceTask@665229bd
		com.mchange.v2.resourcepool.BasicResourcePool$1DestroyResourceTask@3bcf6755
		com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask@54760081
		com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask@3fbc8520
		com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask@48545cab
		com.mchange.v2.resourcepool.BasicResourcePool$1RefurbishCheckinResourceTask@8e17f3b

Upped the heap spaces to 2048m each. Now getting a different error:

Upgrade failed. Please consult the system logs for details. You will need to fix these problems, restore your database and confluence home directory to the pre upgrade state. Then retry the upgrade. Upgrade error message: Upgrade task

com.atlassian.confluence.upgrade.upgradetask.DenormalisedSpacePermissionsUpgradeTask@7cf327bb failed during the SCHEMA_UPGRADE phase due to: StatementCallback; uncategorized SQLException for SQL [CREATE TRIGGER denormalised_space_trigger_on_update AFTER UPDATE ON SPACES FOR EACH ROW sp: BEGIN DECLARE isServiceDisabled BOOL DEFAULT TRUE; CALL space_procedure_for_denormalised_permissions(isServiceDisabled); IF (isServiceDisabled) THEN LEAVE sp; END IF; IF (NEW.LOWERSPACEKEY = OLD.LOWERSPACEKEY) THEN LEAVE sp; END IF; INSERT INTO DENORMALISED_SPACE_CHANGE_LOG(SPACE_ID) VALUES (NEW.SPACEID); END;]; SQL state [HY000]; error code [1419]; You do not have the SUPER privilege and binary logging is enabled (you might want to use the less safe log_bin_trust_function_creators variable); nested exception is java.sql.SQLException: You do not have the SUPER privilege and binary logging is enabled (you might want to use the less safe log_bin_trust_function_creators variable)

Comment by Peter Murray [ 07/Nov/21 ]

Ah, apparently a known issue: [Install/Upgrade Confluence 7.11+ fails with error - You do not have the SUPER privilege and binary logging is enabled | Confluence | Atlassian Documentation|https://confluence.atlassian.com/confkb/install-upgrade-confluence-7-11+-fails-with-error-you-do-not-have-the-super-privilege-and-binary-logging-is-enabled-1044096915.html]

At the prompting of Confluence on first login ("Tomcat config is incorrect"), also needed to change the Tomcat server.xml file to know about the NGINX proxy: Can't check base URL warning in Confluence 6.6 or later and [How to use NGINX to proxy requests for Confluence | Confluence | Atlassian Documentation|https://confluence.atlassian.com/confkb/how-to-use-nginx-to-proxy-requests-for-confluence-313459790.html]

After Confluence upgrade, also upgraded plugins:

  • Atlassian SSO
  • Atlassian Universal Plugin Manager Plugin
  • Confluence Unknown Attachment Reconcilliation Plugin
Generated at Thu Feb 08 23:27:17 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.