Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How loosely-coupled is Confluence and Tomcat?

Roy Youngman1
Roy Youngman September 24, 2011

Hi Guys,

Newbie here involved in my first Confluence deployment for a very large US company. Please be gentle.

We recently downloaded and installed the 3.5.13 release of Confluence. Tomcat 6.0.32 was bundled with it. The head of IT Security at our company identified 4 security vulnerabilities with that release of Tomcat. 3 of these are fixed in Tomcat 6.0.33. The other and most critical one is CVE-2011-3190. This vulnerability looks to be addressed in a "not-yet-released" version of Tomcat 6.0.34. So the fact that a specific release of Tomcat was bundled with Confluence raises some questions about if and when we apply patches or upgrades to Tomcat:

  1. What is the risk (if any) I take if I apply a release update or patch to Tomcat without also upgrading Confluence? In other words, can I go to Tomcat 6.0.33 and then 6.0.34 independent of an increase in the Confluence 3.5 line?
  2. How fast does Atlassian typically turnaround a new release of Confluence to incorporate Tomcat release changes, especially when a critical security vulnerability is in play?

I need to provide our Security Leader assurances that we will be able to address these vulnerabilities in a timely manner, so any insight anyone has or can point me to is greatly appreciated.

Answer
Watch
Like # people like this
1359 views

2 answers

1 accepted

4 votes
Answer accepted
Joe Clark
Joe Clark
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 25, 2011

We do release updates for Confluence if we need to upgrade the version of Tomcat shipped with standalone for security reasons - bugfix releases for Confluence are generally released every 2-3 weeks. If you ever have questions about specific versions of Confluence and/or Tomcat, you can raise a support request to discuss details with us.

The issue you linked to looks like it relates to the Tomcat AJP connector, which is not used in the standalone version of Confluence by default.

View More Comments
Roy Youngman1
Roy Youngman September 25, 2011

Thanks, Joseph. As it turns out, we are also using the SharePoint Connector with IWA which requires the AJP connector (click here to see that documentation). So to us, the security issue is very relevent.

In any case, I take it that I can apply the 6.0.33 release of Tomcat now and the 6.0.34 release of Tomcat later without expecting big problems. We figured that, but the documentation on the Supported Platform page is a bit ambigious. Note that is says for Tomcat: "5.5.20 - 6.0", not "5.5.20 - 6.0.x".

Like
Joe Clark
Joe Clark
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 26, 2011

Ah, no worries. :-) Yes, dropping in a point release of Tomcat should be easy-peasy.

I'll see if I can get that supported platforms page updated to fix the ambiguity.

Like
Reply
4 votes
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
September 24, 2011

Confluence is a standard web-application which you can try to run in any application server you want. It doesn't have to be run in Tomcat at all, let alone a specific version.

Confluence "standalone" is simply a bunde of Confluence, Tomcat and a database server which are known to work well, and Atlassian do release quick updates to it if Tomcat needs a security update, but there should be no problem with using later versions of Tomcat with the current version of Confluence.

Of course, it's a little more complex though. Confluence standalone is great for getting up and running quickly, but most large users don't use standalone - they use the WAR version with their own Tomcat/other-app-server. None of my current clients are using the bundled version of Tomcat for assorted reasons.

All I can really recommend when it comes to specific versions is that you upgrade/patch a test system and see how well it works. I expect you'll be absolutely fine!

View More Comments
Roy Youngman1
Roy Youngman September 25, 2011

Thanks, Nic - very helpful!

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events