Getting error "Resource name must end with .vm, .vmd, .css or .xml" after Confluence is upgraded
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
After Confluence is upgraded for fixing CVE-2023-22522, when a user tries to access a page or use a feature provided by third party plugins/app, the page is not able to render and redirects the user to a Page not found or System Error page.
Environment
Confluence 7.19.17, 8.4.5, 8.5.4, 8.6.2, 8.7.1
Diagnosis
When accessing some Confluence pages, it shows the Page Not Found error or System Error page:
In atlassian-confluence.log , you may see the following error stack trace:
2023-12-07 06:20:49,517 ERROR [http-nio-8090-exec-18 url: /display/ABCD, /spaces/viewspace.action, /display/ABCD/Testing, /pages/viewpage.action; user: test] [confluence.util.velocity.VelocityUtils] getRenderedTemplate Error occurred rendering template: theme-press/templates/macros/content-layer.vm
-- url: /display/ABCD | traceId: 34bba0ef64919054 | userName: Test | page: 12345 | action: viewpage
org.apache.velocity.exception.ResourceNotFoundException: Resource name must end with .vm, .vmd, .css or .xml
at com.atlassian.confluence.util.velocity.ConfigurableResourceManager.loadResource(ConfigurableResourceManager.java:331)
at com.atlassian.confluence.util.velocity.ConfigurableResourceManager.getResource(ConfigurableResourceManager.java:305)
at org.apache.velocity.runtime.RuntimeInstance.getTemplate(RuntimeInstance.java:1400)
at org.apache.velocity.runtime.directive.Parse.render(Parse.java:198)
at com.atlassian.confluence.setup.velocity.ProfilingParseDirective.render(ProfilingParseDirective.java:21)
at org.apache.velocity.runtime.parser.node.ASTDirective.render(ASTDirective.java:175)
at org.apache.velocity.runtime.parser.node.SimpleNode.render(SimpleNode.java:336)
at org.apache.velocity.Template.merge(Template.java:328)
at org.apache.velocity.Template.merge(Template.java:235)
at com.atlassian.confluence.util.velocity.VelocityUtils.renderTemplateWithoutSwallowingErrors(VelocityUtils.java:70)
at com.atlassian.confluence.util.velocity.VelocityUtils.renderTemplateWithoutSwallowingErrors(VelocityUtils.java:76)
at com.atlassian.confluence.util.velocity.VelocityUtils.getRenderedTemplateWithoutSwallowingErrors(VelocityUtils.java:63)
at com.atlassian.confluence.util.velocity.VelocityUtils.getRenderedTemplate(VelocityUtils.java:42)
at com.atlassian.confluence.util.velocity.VelocityUtils.getRenderedTemplate(VelocityUtils.java:33)
...
...Cause
In recent CVE-2023-22522 fix, Confluence is limited to only able execute file type with .vm, .vmd, .css or .xml.
Solution
Atlassian suggest to disable the app/plugins that throwing the error to avoid impact to daily work.
We encourage strongly to reach out to the plugin/app vendor who provides the feature, in order to update the plugin/app and make it compatible with the Confluence version affected.