Confluence 7.13 Release Notes
17 August 2021We're excited to present Confluence 7.13.
Thanks for your feedback
More than 3,000 votes satisfied
since the last Long Term Support release.
Confluence Server and Data Center 7.13 is a Long Term Support release
This means we'll provide bug fix releases until 7.13 reaches end of life, to address critical security, stability, data integrity, and performance issues.
Ready to upgrade? Check the 7.13 LTS change log for a roll-up of changes since 7.4.
Long Term Support release roundup
It's been more than 12 months since our last long term support release, Confluence 7.4. In that time we've shipped a huge amount of value, especially for Data Center:
- More audit log events, including logging end-user activity
- Single sign-on with OpenID
- Access logging enabled by default
- Webhooks and personal access tokens for better integrations
- Analytics for tracking page views, edits, and more.
All in all we've resolved over 260 issues since 7.4.0 For a bird's eye view of all the changes, check out the Confluence 7.13 Long Term Support Release Change Log.
So what can you expect from Confluence 7.13? We've been focused on raising the already high bar we’ve set for quality, stability, and performance, and have tackled some particularly high impact bugs to make sure Confluence 7.13 is the best it can be.
Upgrading to a new Long Term Support release is a great time to check your site security. We've put together a list of things you might want to check as part of this upgrade, as our recommendations may have changed since you first installed Confluence.
- Subscribe to advisory alerts and keep technical contact details up to date
Receive security advisory alerts and other important technical updates.
Atlassian email and privacy preferences
- Run Confluence with a dedicated non-root user account
Limit that account to just the directories that Confluence needs to write to.
Learn how to create a dedicated user account
- Limit the accounts that can access Confluence directories
Ensure only selected user accounts can read and write to Confluence directories, including custom directories where you might store attachments, backups, or data pipeline exports.
Learn how to allow the account to write to particular directories
- Limit hosts which can mount network file systems
Limit the hosts that can mount NFS file systems to just the Confluence host (such as in the /etc/exports file in Linux). Refer to your operating system documentation to find out how to do this.
- Limit database access
Limit database access to just the Confluence host (using iptables or built in database security tools). Refer to your database documentation to find out how to do this.
- Use secure administrator sessions
Require admins to re-enter their password to access admin functions, and set a short timeout for the administrator session.
Learn how to turn on secure administrator sessions
- Use the allowlist
Limit incoming and outgoing connections to avoid Server-Side Request Forgery (SSRF) attacks.
Learn how to turn on the allowlist
- Use personal access tokens for integrations
Provide a more secure way to authenticate API requests than basic authentication (username and password)
Learn how to manage personal access tokens
- Review confluence-administrators group membership
Members of this 'super group' can access all admin functions and access all content, including restricted pages. Consider limiting the members of this group and instead create a new group with system administrator global permissions.
Learn about the confluence-administrators super group
- Review administrator account practices
Avoid shared admin accounts, and easily guessed usernames like 'admin' or 'jdoe'. Consider providing administrators with two accounts, allowing them to use different accounts for day-to-day Confluence use and administrator tasks.
- Monitor the access log
Access logs can help you identify unusual activity. Logs are written to the install directory, and you may want to monitor these logs using your preferred monitoring tool.
Learn about access logging
- Use rate limiting to block all requests from anonymous users DATA CENTER
Block REST API requests from anonymous users if you don't have a reason to allow them, or limit the number of requests to reduce the risk of DoS attacks
Learn how to use rate limiting to block requests
- Review audit log settings DATA CENTER
The audit log capabilities may have changed significantly since your last upgrade. Check which events you can monitor.
Learn which events you can write to the audit log
- Consider single-sign on DATA CENTER
There are a number of options for integrating Confluence with your identity provider for SSO.
Learn about the various SSO options available
For full details of bugs fixed and suggestions resolved, head to Jira.
Released on 17 August 2021
Get ready to upgrade
Our wonderful customers...
You play an important role in making Confluence better. Thanks to everyone who participated in interviews with us, made suggestions, voted, and reported bugs!