[FOLIO-3327] Upgrade FOLIO Confluence to address new security vulnerability Created: 02/Nov/21 Updated: 07/Nov/21 Resolved: 07/Nov/21 |
|
| Status: | Closed |
| Project: | FOLIO |
| Components: | None |
| Affects versions: | None |
| Fix versions: | None |
| Type: | Task | Priority: | P2 |
| Reporter: | John Malconian | Assignee: | Peter Murray |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Attachments: |
|
| Sprint: | DevOps Sprint 126 |
| Development Team: | FOLIO DevOps |
| Description |
|
Atlassian has reported a new security vulnerability in Confluence that they have classified as "critical". https://confluence.atlassian.com/security/multiple-products-security-advisory-unrendered-unicode-bidirectional-override-characters-cve-2021-42574-1086419475.html?subid=1527911294&jobid=105251298&utm_campaign=multiple-products-advisory_november-2021_EML-11738&utm_medium=email&utm_source=alert-email Will require upgrading Confluence to the latest fixed version. |
| Comments |
| Comment by Peter Murray [ 05/Nov/21 ] |
|
Ah, nuts...I didn't see this until now. Have you had a chance to look at it, Malc? If not, I'll try to sneak it in this weekend.
|
| Comment by John Malconian [ 05/Nov/21 ] |
|
I haven't been able to get to this, this week, Peter Murray. I did upgrade FOLIO Jira, however, and I did spend some time renewing/upgrading all the Confluence plugins in preparation for the Confluence upgrade. If I'm not mistaken we should upgrade from 7.8.0 to 7.13.2 which is the latest LTS patch revision. Before shutting down Confluence and beginning the upgrade, the SSO for Atlassian Datacenter plugin should be disabled. It can be re-enabled and updated post-upgrade. If you don't get to the upgrade this weekend, I can do it early next week. Should be a fairly painless upgrade (famous last words). |
| Comment by John Malconian [ 05/Nov/21 ] |
|
We should also use this opportunity to apply latest AL2 updates ( sudo yum update) and reboot the instance. |
| Comment by Peter Murray [ 07/Nov/21 ] |
|
Restarted server, but Confluence crashed with an out-of-heap-space error. Edited /opt/Confluence/bin/setenv.sh to raise both Xms and Xmx to "1536m" (both were at 1024m previously). Now seeing:
2021-11-07 18:25:15,416 INFO [Catalina-utility-1] [confluence.upgrade.recovery.ConfluenceProgressMonitor] begin TABLE_DATA: [scheduler_run_details]
2021-11-07 18:25:59,813 WARN [C3P0PooledConnectionPoolManager[identityToken->2tam8rak1xtkx6qdrju30|10adf096]-AdminTaskTimer] [mchange.v2.async.ThreadPoolAsynchronousRunner] log com.mchange.v2.async.ThreadPoolAsynchronousRunner$DeadlockDetector@6306fb76 -- APPARENT DEADLOCK!!! Creating emergency threads for unassigned pending tasks!
2021-11-07 18:26:11,028 WARN [C3P0PooledConnectionPoolManager[identityToken->2tam8rak1xtkx6qdrju30|10adf096]-AdminTaskTimer] [mchange.v2.async.ThreadPoolAsynchronousRunner] log com.mchange.v2.async.ThreadPoolAsynchronousRunner$DeadlockDetector@6306fb76 -- APPARENT DEADLOCK!!! Complete Status:
Managed Threads: 3
Active Threads: 3
Active Tasks:
com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask@7802d438
on thread: C3P0PooledConnectionPoolManager[identityToken->2tam8rak1xtkx6qdrju30|10adf096]-HelperThread-#0
com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask@611e8af
on thread: C3P0PooledConnectionPoolManager[identityToken->2tam8rak1xtkx6qdrju30|10adf096]-HelperThread-#1
com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask@1a8e7f07
on thread: C3P0PooledConnectionPoolManager[identityToken->2tam8rak1xtkx6qdrju30|10adf096]-HelperThread-#2
Pending Tasks:
com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask@6c4f2c25
com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask@2829680
com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask@bdf52ef
com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask@62c062d4
com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask@77fb44ad
com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask@61dbea44
com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask@106284ba
com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask@71d582a0
com.mchange.v2.resourcepool.BasicResourcePool$1RefurbishCheckinResourceTask@5ca66e1b
com.mchange.v2.resourcepool.BasicResourcePool$1DestroyResourceTask@62912601
com.mchange.v2.resourcepool.BasicResourcePool$1DestroyResourceTask@665229bd
com.mchange.v2.resourcepool.BasicResourcePool$1DestroyResourceTask@3bcf6755
com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask@54760081
com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask@3fbc8520
com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask@48545cab
com.mchange.v2.resourcepool.BasicResourcePool$1RefurbishCheckinResourceTask@8e17f3b
Upped the heap spaces to 2048m each. Now getting a different error:
|
| Comment by Peter Murray [ 07/Nov/21 ] |
|
Ah, apparently a known issue: [Install/Upgrade Confluence 7.11+ fails with error - You do not have the SUPER privilege and binary logging is enabled | Confluence | Atlassian Documentation|https://confluence.atlassian.com/confkb/install-upgrade-confluence-7-11+-fails-with-error-you-do-not-have-the-super-privilege-and-binary-logging-is-enabled-1044096915.html] At the prompting of Confluence on first login ("Tomcat config is incorrect"), also needed to change the Tomcat server.xml file to know about the NGINX proxy: Can't check base URL warning in Confluence 6.6 or later and [How to use NGINX to proxy requests for Confluence | Confluence | Atlassian Documentation|https://confluence.atlassian.com/confkb/how-to-use-nginx-to-proxy-requests-for-confluence-313459790.html] After Confluence upgrade, also upgraded plugins:
|