Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Answered
Priority: Low
Fix Version/s: None
Affects Version/s: None
Component/s: None
Labels:
- affects-server

Bug Fix Policy:
View Atlassian Server bug fix policy

Description

This applies to all Atlassian products that may use the commons collections:
There is a longstanding, unpatched unserialize vulnerability in the commons-collections Java library that allows remote code execution. More details here: http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#thevulnerability

–

Only JIRA instances with a Data Center license are vulnerable through ehcache RMI, which is used for clustering, and by default listens on port 40001. Ensure that you only permit cluster nodes to connect to a JIRA Data Center instance's ehcache RMI port through the use of a firewall and/or network segregation.

Attachments

Issue Links

relates to

JRASERVER-47638 Upgrade to version 3.2.2 of apache commons-collections

Closed

mentioned in: Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

(2 mentioned in)

Activity

People

Assignee:: Unassigned

Reporter:: CK IT

Votes:: 8 Vote for this issue

Watchers:: 44 Start watching this issue

Dates

Created:: 09/Nov/2015 5:03 PM

Updated:: 16/Oct/2018 12:55 AM

Resolved:: 30/Nov/2015 12:34 AM