Uploaded image for project: 'Jira Server and Data Center'
  1. Jira Server and Data Center
  2. JRASERVER-46203

InvokerTransformer vulnerability

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Low
    • Resolution: Answered
    • None
    • None
    • None

    Description

      This applies to all Atlassian products that may use the commons collections:
      There is a longstanding, unpatched unserialize vulnerability in the commons-collections Java library that allows remote code execution. More details here: http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#thevulnerability

      Only JIRA instances with a Data Center license are vulnerable through ehcache RMI, which is used for clustering, and by default listens on port 40001. Ensure that you only permit cluster nodes to connect to a JIRA Data Center instance's ehcache RMI port  through the use of a firewall and/or network segregation.

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              ceed5c02f6c8 CK IT
              Votes:
              8 Vote for this issue
              Watchers:
              44 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: