Here are some important notes on upgrading to Confluence 10.0. For details of the new features and improvements in this release, see the Confluence 10.0 release notes.

Upgrade notes

Spring and Jakarta upgrade 

To maintain high security standards and keep dependencies supported and up to date, we’re upgrading Spring to the 6.x line, Jakarta to EE Platform 10, Apache Tomcat to 10.1 as well as other libraries that depend on Spring and Jakarta.

The Apache Tomcat upgrade also introduces changes under the Jakarta Servlet specification. If you rely on custom server settings or connectors, review the following before upgrading:

• Check custom server.xml configurations, especially any references to "javax.servlet" APIs. Tomcat 10.1 has migrated to the "jakarta.servlet" namespace.
• Verify that any connectors (HTTP, AJP, etc.) are still supported and properly configured in Tomcat 10.1.
• Confirm that any security or TLS/SSL settings are compatible with Tomcat 10.1’s default cryptographic protocols.

For detailed information on the changes introduced in Tomcat 10.1, consult the official Apache Tomcat documentation.

Removal of deprecated components in AUI 10

We’re removing some outdated AUI 10 components with design and accessibility issues (Dropdown 1 and Toolbar 1) and updating internal dependencies to better support jQuery 3 and proactively address security issues.

End of support for LESS

To enhance security and performance, we’re removing the ability to transform LESS to CSS at runtime and requiring it to be transpiled into CSS at compile time.

Removal of Trusted apps

Trusted apps won't be available starting from Confluence 10.0. We’re removing Trusted apps to reduce the number of insecure entry points into the products. We’ve replaced this way of exchanging information between Atlassian products with more secure solutions that follow industry best practices, like the OAuth 2.0 protocol.

End of support for the Original theme

With the new light and dark themes that brought accessibility and usability improvements, we’re removing the original theme from all products.

Global serialization filter

We’re implementing a global serialization filter that relies on a central blocklist for Java deserialization, Velocity, Struts, and XStream. This filter is designed to block specific classes and patterns that are recognized as vulnerable to Remote Code Execution (RCE) through publicly known gadget chains.

We’ve implemented several important changes regarding the use of XStream:

1. XStream now includes a predefined blocklist of known vulnerable classes that are prohibited from being serialized or deserialized.
2. If there is a need to serialize or deserialize custom class types, apps must define these types in their module descriptor. For example:
   

   <xstream-security key="xstream-allowlist" name="XStream allow-list set">
           <type>java.util.Map</type>
   </xstream-security>

3. The option to allow types through regular expressions has been removed.

App signing is now enabled by default for app installations

In this release, app signing is enabled by default. This feature improves app security and was gradually rolled out across Data Center products. For details, check out this community post.

App signing affects only new app installations; already installed apps will remain intact.

The steps you need to take differ depending on whether you install applications from the Marketplace or build your custom applications.

Install apps from the Marketplace

To do so:

1. Configure the location of the truststore folder as described in Configuring UPM app signature check.
2. Download and install the Atlassian Certificates bundle. For details, see Updating Atlassian Certificate Bundles.
3. That’s it! Enjoy the safe app installations from the Marketplace.

Install custom apps

If you use custom application builds, you can sign and secure your apps:

1. Configure the location of the truststore folder as described in Configuring UPM app signature check.
2. Get the app signature and verification certificate as described in Generating app signature and verification certificate using OpenSSL.
3. Put your new certificate in your trust store as described in Updating Atlassian Certificate Bundles.
4. Install the signed application.

If you’re experiencing issues, check out App signing troubleshooting.

Enhanced security with Content Security Policy

We're implementing Content Security Policy (CSP) in Confluence 10.0. This new feature enhances security by instructing your web browser on what content is allowed to run on the page, significantly reducing the risk of cross-site scripting (XSS) and other code injection attacks. By controlling which resources a document can load, CSP helps protect against data exfiltration and improves the overall stability and reliability of Confluence.

In Confluence 10.0, the script-src CSP header is enabled in a report-only mode. This means that while the system logs any violations, it won't block resources, allowing us to monitor potential security issues without affecting your experience. Full enforcement of CSP will be introduced in Confluence 11.

Supported platforms changes

We’re adding support for the following databases:

• PostgreSQL 17

We’re also removing support for:

• PostgreSQL 15
• Java 17

This version of the product will only run on Java 21.

See the complete list of supported platforms

End of support announcements

There are no advance announcements this time.

For more information on these notices, see End of Support Announcements for Confluence.

Infrastructure changes 

Head to Preparing for Confluence 10.0 to find out more about changes under the hood. 

Known issues

There are no known issues in this version.

Upgrade procedure

Always test the upgrade in a test environment before upgrading in production.

To upgrade Confluence to the latest version:

1. From the Administration menu , select Manage apps, and then Confluence update check to verify the compatibility of your user-installed apps with the target application version.

2. From the Administration menu , select General Configuration, and then Plan your upgrade and the version you want to upgrade to. This will run the pre-upgrade checks.
3.  From the Administration menu , select General Configuration, and then Troubleshooting and support tools to check your license validity, application server, database setup, and more.
4. If your version of Confluence is more than one version behind, read the release notes and upgrade guides  for all releases between your version and the latest version.
5. Back up your installation directory, home directory, and database.
6. Download the latest version of Confluence.
7. Follow the instructions in the Upgrade Guide.

Update configuration files after upgrading

The contents of configuration files such as server.xml, web.xml , setenv.bat / setenv.sh, and confluence-init.properties change from time to time. 

When upgrading, we recommend manually reapplying any additions to these files (such as proxy configuration, datasource, JVM parameters) rather than simply overwriting the file with the file from your previous installation; otherwise you will miss out on any improvements we have made.