Getting error "Resource name must end with .vm, .vmd, .css or .xml" after Confluence is upgraded
プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Fisheye および Crucible は除く
要約
After Confluence is upgraded for fixing CVE-2023-22522, when a user tries to access a page or use a feature provided by third party plugins/app, the page is not able to render and redirects the user to a Page not found or System Error page.
環境
Confluence 7.19.17, 8.4.5, 8.5.4, 8.6.2, 8.7.1
診断
When accessing some Confluence pages, it shows the Page Not Found error or System Error page:
In atlassian-confluence.log , you may see the following error stack trace:
2023-12-07 06:20:49,517 ERROR [http-nio-8090-exec-18 url: /display/ABCD, /spaces/viewspace.action, /display/ABCD/Testing, /pages/viewpage.action; user: test] [confluence.util.velocity.VelocityUtils] getRenderedTemplate Error occurred rendering template: theme-press/templates/macros/content-layer.vm
-- url: /display/ABCD | traceId: 34bba0ef64919054 | userName: Test | page: 12345 | action: viewpage
org.apache.velocity.exception.ResourceNotFoundException: Resource name must end with .vm, .vmd, .css or .xml
at com.atlassian.confluence.util.velocity.ConfigurableResourceManager.loadResource(ConfigurableResourceManager.java:331)
at com.atlassian.confluence.util.velocity.ConfigurableResourceManager.getResource(ConfigurableResourceManager.java:305)
at org.apache.velocity.runtime.RuntimeInstance.getTemplate(RuntimeInstance.java:1400)
at org.apache.velocity.runtime.directive.Parse.render(Parse.java:198)
at com.atlassian.confluence.setup.velocity.ProfilingParseDirective.render(ProfilingParseDirective.java:21)
at org.apache.velocity.runtime.parser.node.ASTDirective.render(ASTDirective.java:175)
at org.apache.velocity.runtime.parser.node.SimpleNode.render(SimpleNode.java:336)
at org.apache.velocity.Template.merge(Template.java:328)
at org.apache.velocity.Template.merge(Template.java:235)
at com.atlassian.confluence.util.velocity.VelocityUtils.renderTemplateWithoutSwallowingErrors(VelocityUtils.java:70)
at com.atlassian.confluence.util.velocity.VelocityUtils.renderTemplateWithoutSwallowingErrors(VelocityUtils.java:76)
at com.atlassian.confluence.util.velocity.VelocityUtils.getRenderedTemplateWithoutSwallowingErrors(VelocityUtils.java:63)
at com.atlassian.confluence.util.velocity.VelocityUtils.getRenderedTemplate(VelocityUtils.java:42)
at com.atlassian.confluence.util.velocity.VelocityUtils.getRenderedTemplate(VelocityUtils.java:33)
...
...原因
In recent CVE-2023-22522 fix, Confluence is limited to only able execute file type with .vm, .vmd, .css or .xml.
ソリューション
Atlassian suggest to disable the app/plugins that throwing the error to avoid impact to daily work.
We encourage strongly to reach out to the plugin/app vendor who provides the feature, in order to update the plugin/app and make it compatible with the Confluence version affected.