[CONFSERVER-37240] Multiple vulnerabilites in Java 1.7.0_15

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: 5.7.4
Affects Version/s: 5.0.3, 5.1.5, 5.2.5, 5.3.4, 5.4.4, 5.5.7, 5.6.6, 5.7.3
Component/s: None
Labels:

Bug Fix Policy:
View Atlassian Server bug fix policy

The version of Java we bundle with Confluence is badly out of date, and well behind the security baseline Oracle defines (see http://www.oracle.com/technetwork/java/javase/7u80-relnotes-2494162.html for example, which says we should be running update 79 for security fixes, and update 80 for subsequent bugfixes).

The April 2015 blog post for the latest update lists multiple security issues affecting server code, several exploitable over the network, and 3 that are severity 10.0 (their highest rating). They do not provide any details for us to know what these vulnerabilities are, aside from their CVE IDs. See https://blogs.oracle.com/security/entry/april_2015_critical_patch_update for all the details we have, and watch https://access.redhat.com/security/cve/CVE-2015-0491 https://access.redhat.com/security/cve/CVE-2015-0459 and https://access.redhat.com/security/cve/CVE-2015-0469 for publication.

We need to update the bundled version of the JRE to at least 1.7.0_79.

In versions of Confluence where we've dropped support for any JRE other than the one we bundle, we need to do this update as a matter of urgency.

duplicates

CONFSERVER-38295 Update Java version bundled found in the installer to a version >= 1.8u51

Closed

CONFSERVER-37074 Bundled Java Version Security Patches

Closed

Katherine Yabut made changes - 13/Nov/2018 4:41 AM

Workflow

Original: JAC Bug Workflow v3 [ 2875480 ]

New: CONFSERVER Bug Workflow v4 [ 2980951 ]

Owen made changes - 11/Oct/2018 8:37 AM

Workflow	Original: JAC Bug Workflow v2 [ 2803356 ]	New: JAC Bug Workflow v3 [ 2875480 ]
Status	Original: Resolved [ 5 ]	New: Closed [ 6 ]

Owen made changes - 29/Aug/2018 11:20 PM

Workflow

Original: JAC Bug Workflow [ 2736108 ]

New: JAC Bug Workflow v2 [ 2803356 ]

Owen made changes - 02/Jul/2018 7:12 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2388943 ]

New: JAC Bug Workflow [ 2736108 ]

Alex Yakovlev (Inactive) made changes - 16/Oct/2017 3:47 AM

Labels

Original: affects-server bugfix installer loyalty no-cvss-required qa-demo-passed security

New: affects-server installer loyalty no-cvss-required qa-demo-passed security

Alex Yakovlev (Inactive) made changes - 16/Oct/2017 3:40 AM

Labels

Original: affects-server bugfix installer no-cvss-required qa-demo-passed security

New: affects-server bugfix installer loyalty no-cvss-required qa-demo-passed security

Katherine Yabut made changes - 22/Jun/2017 6:49 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 [ 2266089 ]

New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2388943 ]

Katherine Yabut made changes - 31/May/2017 5:31 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2209691 ]

New: Confluence Workflow - Public Facing - Restricted v5 [ 2266089 ]

Katherine Yabut made changes - 31/May/2017 4:53 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2155468 ]

New: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2209691 ]

Katherine Yabut made changes - 31/May/2017 1:55 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 [ 1927385 ]

New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2155468 ]

Assignee:: Denise Unterwurzacher [Atlassian] (Inactive)

Reporter:: Richard Atkins

Affected customers:: 0 This affects my team

Watchers:: 8 Start watching this issue

Created:: 16/Apr/2015 6:32 AM

Updated:: 11/Oct/2018 8:37 AM

Resolved:: 06/May/2015 3:55 AM

Details

Description

Attachments

Issue Links

Forms

Activity

People

Dates