How to disable the JMX network port (for CVE-2023-22508)
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
If you're running a Confluence Server or Data Center instance then you may have been reading about CVE-2023-22508:
- CONFSERVER-88221Getting issue details... STATUS
If you're running an affected version of Confluence, you're only vulnerable if you currently have a TCP port enabled for JMX, as outlined in Live Monitoring Using the JMX Interface. TCP ports for JMX are not configured by default in Confluence.
On Windows:
JMX parameters will either be in setenv.bat
within your <installation_path>/bin/
directory (if you start Confluence from the .bat file) or in the Java
tab of your Windows service - see Configuring System Properties for more information.
set CATALINA_OPTS=-Dcom.sun.management.jmxremote %CATALINA_OPTS%
set CATALINA_OPTS=-Dcom.sun.management.jmxremote.port=8099 %CATALINA_OPTS%
On Linux:
JMX parameters will be listed in the setenv.sh
file within your <installation_path>/bin/
directory:
CATALINA_OPTS="-Dcom.sun.management.jmxremote ${CATALINA_OPTS}"
CATALINA_OPTS="-Dcom.sun.management.jmxremote.port=8099 ${CATALINA_OPTS}"
Environment
Check your version of Confluence by expanding the macro below.
Solution
If you haven't enabled the com.sun.management.jmx*
JVM parameters as outlined above, your Confluence instance is not vulnerable to CVE-2023-22508, even if you're on an affected version.
However, if you have configured JMX on a TCP port and wish to shut it down, you can remove the com.sun.management.jmx*
parameters from your Confluence JVM parameter list (as shown in the code blocks above) and then restart Confluence.
Example
Before removal, I may have had JMX configured on port 8099 (for example) using one of the above code blocks in my Confluence JVM parameters. This would show as LISTEN in netstat
output:
$ netstat -an | grep LISTEN
tcp46 0 0 *.5801 *.* LISTEN
tcp46 0 0 *.8090 *.* LISTEN
tcp46 0 0 *.60770 *.* LISTEN
tcp46 0 0 *.8099 *.* LISTEN <<---- Example JMX port (actual port number depends on JVM parameter used)
Once JMX parameters have been removed and Confluence restarted, you should observe that the JMX port is no longer LISTENING via a netstat
command.
$ netstat -an | grep 8099
$
If you have any questions then Atlassian recommends that you open a support ticket for further advice and assistance. When opening a support ticket, you will receive a quicker answer if you're able to generate and attach a support zip.