Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events

Forums

Articles
Create
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

createpage-entervariables.action attempted by userName: anonymous - sign of a breach?

Lucinda Stroud
Lucinda Stroud February 7, 2022

Hi all, our Confluence site went down earlier today but came back up following an application restart.  In looking through the logs, I found multiple entries that raised my antennae a bit:

2022-02-06 06:01:40,150 ERROR [http-nio-8090-exec-5001 url: /pages/createpage-entervariables.action] [confluence.plugins.synchrony.SynchronyContextProvider] getContextMap
-- url: /pages/createpage-entervariables.action | traceId: 2448bc04bc14180b 
| userName: anonymous | action: createpage-entervariables

 -- url: /pages/createpage-entervariables.action | traceId: d34ab04173918629 | userName: anonymous | action: createpage-entervariables
2022-02-06 09:33:42,418 WARN [Caesium-1-3] [troubleshooting.healthcheck.concurrent.SupportHealthCheckProcess] lambda$getCompletedStatuses$0 Health check 'Security Vulnerabilities' failed w$
2022-02-06 09:35:14,357 ERROR [http-nio-8090-exec-5070 url: /pages/createpage-entervariables.action] [confluence.plugins.synchrony.SynchronyContextProvider] getContextMap

Anonymous access is not enabled for our site, nor are users enabled to set up their own accounts.

Running 7.13.0  on a Linux server.  Not seeing anything suspicious or eating up memory in top.  Is this cause for concern?

Answer
Watch
Like Be the first to like this
1293 views

2 answers

2 accepted

0 votes
Answer accepted
Brant Schroeder
Brant Schroeder
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
February 7, 2022

@Lucinda Stroud The version you are on is susceptible to a vulnerability so you should upgrade it.  Is your Confluence instance open to the web or do you have to be on your local network or VPN to access it?  Are you sure that none of the spaces have anonymous access setup?   When the site went down what was happening in the logs at that time?  What was happening on the server? Have you worked with your network team to see if there is traffic from unexpected regions? These are all things you should check as you work to identify what actually happened.  

View More Comments
Lucinda Stroud
Lucinda Stroud February 10, 2022

Thanks @Brant Schroeder .  Using the Access log, it does look like an IP from Egypt has been attempting to create pages repeatedly, but without success.  We've blocked that IP just to be safe.  Anonymous access is disabled globally.  I don't know if those repeated attempts would have prompted the application to need to be restarted, as there wasn't any upticks in activity until I actually stopped and started the application.  We will look into upgrading soon just to be safe.

Like
Reply
0 votes
Answer accepted
Tim Perrault
Tim Perrault
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 7, 2022

Hi @Lucinda Stroud 

 

Looks like a health check is failing specifically for the security vulnerabilities. Checks if your application version is listed as an affected version for any critical security vulnerabilities published at www.atlassian.com/trust/security/advisories.

 

Thanks,

Tim

View More Comments
Lucinda Stroud
Lucinda Stroud February 8, 2022

Thanks for the responses, @Tim Perrault and @Brant Schroeder .

  • Anonymous access is disabled globally.  Is it still possible for sites to individually allow anonymous access?
  • The site is open to the web given the needs of our user base.
  • We upgraded to 7.13.0 in September in response to the CVE-2021-26084 vulnerability; given that the site is not used for displaying code in any way and has no anonymous access granted, we did not upgrade in response to CVE-2021-42574.  Upgrading will require us to upgrade our database as well, so I was hoping to delay that somewhat.
  • I don't have access to the Azure VM that hosts the site, but I am asking the MSP who manages it for any details re: service interruptions or unusual sources of access.

Outage was reported midday PST yesterday, 2/7.  Here are logs leading up from that time to the time when I stopped the application in advance of starting it again.

2022-02-07 08:33:47,191 WARN [Caesium-1-4] [troubleshooting.healthcheck.concurrent.SupportHealthCheckProcess] lambda$getCompletedStatuses$0 Health check 'Security Vulnerabilities' failed w$
2022-02-07 09:33:47,330 WARN [Caesium-1-1] [troubleshooting.healthcheck.concurrent.SupportHealthCheckProcess] lambda$getCompletedStatuses$0 Health check 'Security Vulnerabilities' failed w$
2022-02-07 10:33:47,132 WARN [Caesium-1-1] [troubleshooting.healthcheck.concurrent.SupportHealthCheckProcess] lambda$getCompletedStatuses$0 Health check 'Security Vulnerabilities' failed w$
2022-02-07 11:33:47,272 WARN [Caesium-1-4] [troubleshooting.healthcheck.concurrent.SupportHealthCheckProcess] lambda$getCompletedStatuses$0 Health check 'Security Vulnerabilities' failed w$
2022-02-07 12:33:47,256 WARN [Caesium-1-1] [troubleshooting.healthcheck.concurrent.SupportHealthCheckProcess] lambda$getCompletedStatuses$0 Health check 'Security Vulnerabilities' failed w$
2022-02-07 12:41:33,198 INFO [Caesium-1-4] [ratelimiting.internal.configuration.ConfigurationLoggerJob] logConfiguration Periodic rate limiting configuration log. System rate limiting sett$
2022-02-07 13:33:47,371 WARN [Caesium-1-4] [troubleshooting.healthcheck.concurrent.SupportHealthCheckProcess] lambda$getCompletedStatuses$0 Health check 'Security Vulnerabilities' failed w$
2022-02-07 14:33:47,253 WARN [Caesium-1-1] [troubleshooting.healthcheck.concurrent.SupportHealthCheckProcess] lambda$getCompletedStatuses$0 Health check 'Security Vulnerabilities' failed w$
2022-02-07 15:33:47,122 WARN [Caesium-1-1] [troubleshooting.healthcheck.concurrent.SupportHealthCheckProcess] lambda$getCompletedStatuses$0 Health check 'Security Vulnerabilities' failed w$
2022-02-07 16:33:47,310 WARN [Caesium-1-3] [troubleshooting.healthcheck.concurrent.SupportHealthCheckProcess] lambda$getCompletedStatuses$0 Health check 'Security Vulnerabilities' failed w$
2022-02-07 17:20:00,249 INFO [Caesium-1-1] [synchrony.service.http.SynchronyRequestExecutor] execute Initiating Locking API request: SynchronyLockRequest
2022-02-07 17:20:00,336 INFO [Caesium-1-1] [synchrony.service.http.SynchronyRequestExecutor] execute Initiating Locking API request: SynchronyUnlockRequest
2022-02-07 17:33:48,172 WARN [Caesium-1-2] [troubleshooting.healthcheck.concurrent.SupportHealthCheckProcess] lambda$getCompletedStatuses$0 Health check 'Security Vulnerabilities' failed w$
2022-02-07 17:50:00,128 INFO [Caesium-1-2] [synchrony.service.http.SynchronyRequestExecutor] execute Initiating Locking API request: SynchronyLockRequest
2022-02-07 17:50:00,179 INFO [Caesium-1-2] [synchrony.service.http.SynchronyRequestExecutor] execute Initiating Locking API request: SynchronyUnlockRequest
2022-02-07 18:33:47,258 WARN [Caesium-1-1] [troubleshooting.healthcheck.concurrent.SupportHealthCheckProcess] lambda$getCompletedStatuses$0 Health check 'Security Vulnerabilities' failed w$
2022-02-07 19:33:48,090 WARN [Caesium-1-4] [troubleshooting.healthcheck.concurrent.SupportHealthCheckProcess] lambda$getCompletedStatuses$0 Health check 'Security Vulnerabilities' failed w$
2022-02-07 20:33:47,200 WARN [Caesium-1-3] [troubleshooting.healthcheck.concurrent.SupportHealthCheckProcess] lambda$getCompletedStatuses$0 Health check 'Security Vulnerabilities' failed w$
2022-02-07 21:33:47,273 WARN [Caesium-1-3] [troubleshooting.healthcheck.concurrent.SupportHealthCheckProcess] lambda$getCompletedStatuses$0 Health check 'Security Vulnerabilities' failed w$
2022-02-07 22:00:00,132 INFO [Caesium-1-3] [synchrony.service.http.SynchronyRequestExecutor] execute Initiating Locking API request: SynchronyLockRequest
2022-02-07 22:00:00,199 INFO [Caesium-1-3] [synchrony.service.http.SynchronyRequestExecutor] execute Initiating Locking API request: SynchronyUnlockRequest
2022-02-07 22:22:02,582 WARN [Caesium-1-3] [atlassian.upm.pac.PacClientImpl] fetchMpacAppInfo Error when querying application info from MPAC: com.atlassian.marketplace.client.MpacException$
2022-02-07 22:33:47,160 WARN [Caesium-1-3] [troubleshooting.healthcheck.concurrent.SupportHealthCheckProcess] lambda$getCompletedStatuses$0 Health check 'Security Vulnerabilities' failed w$
2022-02-08 00:33:47,346 WARN [Caesium-1-1] [troubleshooting.healthcheck.concurrent.SupportHealthCheckProcess] lambda$getCompletedStatuses$0 Health check 'Security Vulnerabilities' failed w$
2022-02-08 00:41:33,198 INFO [Caesium-1-3] [ratelimiting.internal.configuration.ConfigurationLoggerJob] logConfiguration Periodic rate limiting configuration log. System rate limiting sett$
2022-02-08 01:05:03,179 INFO [Catalina-utility-2] [com.atlassian.confluence.lifecycle] destroy Shutting down long running task service
2022-02-08 01:05:03,181 INFO [Catalina-utility-2] [atlassian.plugin.manager.DefaultPluginManager] lambda$shutdown$5 Preparing to shut down the plugin system
2022-02-08 01:05:03,298 INFO [Catalina-utility-2] [atlassian.plugin.manager.DefaultPluginManager] lambda$shutdown$5 Shutting down the plugin system
2022-02-08 01:05:06,402 INFO [FelixShutdown] [plugins.synchrony.bootstrap.DefaultSynchronyProcessManager] stopProcess Stopping Synchrony...
2022-02-08 01:05:09,449 INFO [FelixShutdown] [plugins.synchrony.bootstrap.DefaultSynchronyProcessManager] stopProcess Stopping Synchrony...
2022-02-08 01:05:09,630 WARN [FelixShutdown] [insights.core.service.DefaultDataExportOrchestrator] destroy DefaultDataExportOrchestrator is about to be destroyed. Cancelling possible in fl$
2022-02-08 01:05:11,627 WARN [FelixShutdown] [addons.analytics.scheduler.EventLimiterScheduleManagerImpl] destroy Destroying Event Limiter Schedule
2022-02-08 01:05:11,630 WARN [FelixShutdown] [addons.analytics.scheduler.DataRetentionScheduleManagerImpl] destroy Destroying Data Retention Schedule

A few minutes into the application being started up again:

2022-02-08 01:29:54,816 ERROR [http-nio-8090-exec-12 url: /pages/createpage-entervariables.action] [confluence.plugins.synchrony.SynchronyContextProvider] getContextMap
-- url: /pages/createpage-entervariables.action | traceId: 3abd9df43cc750fc | userName: anonymous | action: createpage-entervariables
2022-02-08 01:29:55,045 WARN [http-nio-8090-exec-12 url: /pages/createpage-entervariables.action] [theme.original.cache.DefaultRefinedCache] loadFooter Current user doesn't match with requ$
-- url: /pages/createpage-entervariables.action | traceId: 3abd9df43cc750fc | userName: anonymous
2022-02-08 01:36:51,124 ERROR [http-nio-8090-exec-41 url: /pages/createpage-entervariables.action] [confluence.plugins.synchrony.SynchronyContextProvider] getContextMap
-- url: /pages/createpage-entervariables.action | traceId: 3594f6a050532e05 | userName: anonymous | action: createpage-entervariables
2022-02-08 01:43:51,182 ERROR [http-nio-8090-exec-16 url: /pages/createpage-entervariables.action] [confluence.plugins.synchrony.SynchronyContextProvider] getContextMap
-- url: /pages/createpage-entervariables.action | traceId: fbae4c9dce6517bb | userName: anonymous | action: createpage-entervariables

 -- url: /pages/createpage-entervariables.action | traceId: 26f0f95e0e6f3a9c | userName: anonymous | action: createpage-entervariables
2022-02-08 04:29:16,435 ERROR [http-nio-8090-exec-11 url: /pages/createpage-entervariables.action] [confluence.plugins.synchrony.SynchronyContextProvider] getContextMap
-- url: /pages/createpage-entervariables.action | traceId: 77efde8c2a1902c5 | userName: anonymous | action: createpage-entervariables
2022-02-08 04:29:18,498 ERROR [http-nio-8090-exec-42 url: /pages/createpage-entervariables.action] [confluence.plugins.synchrony.SynchronyContextProvider] getContextMap
-- url: /pages/createpage-entervariables.action | traceId: ae70e4bbf728ee78 | userName: anonymous | action: createpage-entervariables
2022-02-08 04:29:18,600 ERROR [http-nio-8090-exec-47 url: /pages/createpage-entervariables.action] [confluence.plugins.synchrony.SynchronyContextProvider] getContextMap
-- url: /pages/createpage-entervariables.action | traceId: b947a776ebf101b6 | userName: anonymous | action: createpage-entervariables
2022-02-08 04:29:19,814 ERROR [http-nio-8090-exec-33 url: /pages/createpage-entervariables.action] [confluence.plugins.synchrony.SynchronyContextProvider] getContextMap
-- url: /pages/createpage-entervariables.action | traceId: 70bdc5a06b9ba0a0 | userName: anonymous | action: createpage-entervariables
2022-02-08 04:29:20,021 ERROR [http-nio-8090-exec-16 url: /pages/createpage-entervariables.action] [confluence.plugins.synchrony.SynchronyContextProvider] getContextMap
-- url: /pages/createpage-entervariables.action | traceId: 00ab40e4232b4873 | userName: anonymous | action: createpage-entervariables

and more of the same throughout today.   

Like
Tim Perrault
Tim Perrault
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 8, 2022

Might be an issue with the collaborative editing. Check this link to see if anything in there will help you.

Like
Lucinda Stroud
Lucinda Stroud February 9, 2022

Thanks @Tim Perrault - does that mean that you don't have concern with the repeated 

userName: anonymous | action: createpage-entervariables

attempts? 

Like
Tim Perrault
Tim Perrault
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 9, 2022

The first thing I would do is run the log analyzer to see if that has any helpful tips.

https://confluence.atlassian.com/support/support-tools-plugin-790796813.html 

If that doesn't help I would open a support ticket to be safe. Better safe than sorry :)

Like
CMorkan
CMorkan February 11, 2022

Hello Lucinda and Tim,

i also get these errors in version 7.13.3. the logfile analyzer does not return any errors, although there are enough such errors in the logfile.

Please let us know as soon as you get feedback from Atlassian as to what the problem is.

Thank you very much & good luck

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

Community
Forums
FAQs Forums guidelines
Learning
About learning Resources
Events
Copyright © 2025 Atlassian
Privacy Policy Terms Security
Welcome illustration

Welcome to the new Atlassian Community

Online forums and learning are now in one easy-to-use experience.

By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.