How to disable the JMX network port (for CVE-2023-22508)
Platform Notice: Data Center - This article applies to Atlassian products on the Data Center platform.
Note that this knowledge base article was created for the Data Center version of the product. Data Center knowledge base articles for non-Data Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
If you're running a Confluence Server or Data Center instance then you may have been reading about CVE-2023-22508:
If you're running an affected version of Confluence, you're only vulnerable if you currently have a TCP port enabled for JMX, as outlined in Live Monitoring Using the JMX Interface.
TCP ports for JMX are not configured by default in Confluence.
Diagnosis
On Windows:
JMX parameters will either be in setenv.bat
within your <installation_path>/bin/
directory (if you start Confluence from the .bat file) or in the Java
tab of your Windows service - see Configuring System Properties for more information.
set CATALINA_OPTS=-Dcom.sun.management.jmxremote %CATALINA_OPTS%
set CATALINA_OPTS=-Dcom.sun.management.jmxremote.port=8099 %CATALINA_OPTS%
On Linux:
JMX parameters will be listed in the setenv.sh
file within your <installation_path>/bin/
directory:
CATALINA_OPTS="-Dcom.sun.management.jmxremote ${CATALINA_OPTS}"
CATALINA_OPTS="-Dcom.sun.management.jmxremote.port=8099 ${CATALINA_OPTS}"
Environment
Even if your Confluence version is impacted, you must have also configured a JMX network port (as above) to be vulnerable. If you have never configured remote JMX monitoring, you are not vulnerable, even if your version contains the vulnerability.
For Confluence 8.x, this is fixed in 8.2 and later versions.
For Confluence 7.19.x (LTS), this is fixed in 7.19.8.
For Confluence 7.13.x (LTS), this is fixed in 7.13.20.
Version | Impact |
---|---|
8.4 | |
8.3.2 | |
8.3.1 | |
8.3 | |
8.2.3 | |
8.2.2 | |
8.2.1 | |
8.2 | |
8.1.4 | |
8.1.3 | |
8.1.2 | |
8.1.1 | |
8.1 | |
8.0.4 | |
8.0.3 | |
8.0.2 | |
8.0.1 | |
8.0 | |
7.20.3 | |
7.20.2 | |
7.20.1 | |
7.20 | |
7.19.11 | |
7.19.10 | |
7.19.9 | |
7.19.8 | |
7.19.7 | |
7.19.6 | |
7.19.5 | |
7.19.4 | |
7.19.3 | |
7.19.2 | |
7.19.1 | |
7.19 | |
7.18.3 | |
7.18.2 | |
7.18.1 | |
7.18 | |
7.17.5 | |
7.17.4 | |
7.17.3 | |
7.17.2 | |
7.17.1 | |
7.17 | |
7.16.5 | |
7.16.4 | |
7.16.3 | |
7.16.2 | |
7.16.1 | |
7.16 | |
7.15.3 | |
7.15.2 | |
7.15.1 | |
7.15 | |
7.14.4 | |
7.14.3 | |
7.14.2 | |
7.14.1 | |
7.14 | |
7.13.20 | |
7.13.19 | |
7.13.18 | |
7.13.17 | |
7.13.16 | |
7.13.15 | |
7.13.14 | |
7.13.13 | |
7.13.12 | |
7.13.11 | |
7.13.10 | |
7.13.9 | |
7.13.8 | |
7.13.7 | |
7.13.6 | |
7.13.5 | |
7.13.4 | |
7.13.3 | |
7.13.2 | |
7.13.1 | |
7.13 | |
7.12.x and below |
Solution
If you haven't enabled the com.sun.management.jmx*
JVM parameters as outlined above, your Confluence instance is not vulnerable to CVE-2023-22508, even if you're on an affected version.
However, if you have configured JMX on a TCP port and wish to shut it down, you can remove the com.sun.management.jmx*
parameters from your Confluence JVM parameter list (as shown in the code blocks above) and then restart Confluence.
Example
Before removal, I may have had JMX configured on port 8099 (for example) using one of the above code blocks in my Confluence JVM parameters. This would show as LISTEN in netstat
output:
$ netstat -an | grep LISTEN
tcp46 0 0 *.5801 *.* LISTEN
tcp46 0 0 *.8090 *.* LISTEN
tcp46 0 0 *.60770 *.* LISTEN
tcp46 0 0 *.8099 *.* LISTEN <<---- Example JMX port (actual port number depends on JVM parameter used)
Once JMX parameters have been removed and Confluence restarted, you should observe that the JMX port is no longer LISTENING via a netstat
command.
$ netstat -an | grep 8099
$
If you have any questions then Atlassian recommends that you open a support ticket for further advice and assistance. When opening a support ticket, you will receive a quicker answer if you're able to generate and attach a support zip.