Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Workaround for CVE-2022-26134 - Windows version

Markus Sveinn Markusson
Markus Sveinn Markusson June 10, 2022 edited

Confluence Windows version 7.7.2.

The workaround suggested by Atlassian includes the replacement of three files, 

xwork-1.0.3-atlassian-10.jar
webwork-2.1.5-atlassian-4.jar
CachedConfigurationProvider.class

None of these files can be found in the Confluence directory tree.

Does this vulnerability apply to the Windows version, and if so, what would be the correct workaround?

 

Answer
Watch
Like Be the first to like this
659 views

1 answer

1 accepted

3 votes
Answer accepted
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 10, 2022

Yes this vulnerability applies to Windows editions as well.  The files you mentioned are the replacement files.  Not the files that are currently on your system.  You need to download those specific files you mentioned from the Advisory itself.  Then remove the existing files with similar (but not exactly the same names).  Then copy in the downloaded files to their appropriate locations.  If you cannot find this folder, you might want to search for the

WEB-INF

folder instead.  Two of the jar files will be found in the WEB-INF/lib/ directory.

View More Comments
Markus Sveinn Markusson
Markus Sveinn Markusson June 10, 2022

Thank you, Andy.

You are correct, the two .jar files have older version numbers, understandibly.

The CachedConfigurationProvider.class is nowhere to be found, though.

Regards,
Markus

Like
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 10, 2022

Yes, that is expected as well.  That .class file has to added to a separate directory.

 

  • Change to directory <confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup
     

    1. Create a new directory called webwork

    2. Copy CachedConfigurationProvider.class into <confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup/webwork

    3. Ensure the permissions and ownership are correct for:

      <confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup/webwork
      <confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup/webwork/CachedConfigurationProvider.class

 

Like
Markus Sveinn Markusson
Markus Sveinn Markusson June 13, 2022

Thank you very much, Andy. Workaround procedure completed.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
atlassian, loom, loom for training, loom for teaching, video training, async learning, online education, screen recording, loom tutorials, loom use cases, atlassian learning, team training tools, instructional video, virtual training tools

🛗 Elevate Your Training and Enablement with Loom

Join us June 26, 11am PT for a webinar with Atlassian Champion Robert Hean & Loom’s Brittany Soinski. Hear tips, stories, and get your burning questions answered. Learn how Loom makes training and enablement easier. Don’t miss it!

Register today
AUG Leaders

Atlassian Community Events

Community
Forums
FAQs Forums guidelines
Learning
About learning Resources
Events
Champions
Copyright © 2025 Atlassian
Privacy Policy Terms Security
Welcome illustration

Welcome to the new Atlassian Community

Online forums and learning are now in one easy-to-use experience.

By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.