[JRASERVER-59661] Update Java version bundled found in the installer to a version >= 1.8u71

Type: Bug
Resolution: Fixed
Priority: Low (View bug fix roadmap)
Fix Version/s: 7.1.2
Affects Version/s: 7.0.9
Component/s: Installation
Labels:

Introduced in Version:
7
CVSS Score:
6.8
Bug Fix Policy:
View Atlassian Server bug fix policy

Update the bundled version of java to a version >= 1.8u71 (1.8 update 71), which fixes many security issues (http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixJAVA).
Included in the security fixes is a fix for CVE-2016-0483 "An out-of-bounds write flaw was found in the JPEG image format decoder in the AWT component in OpenJDK. A specially crafted JPEG image could cause a Java application to crash or, possibly execute arbitrary code. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions".

incorporates

JRASERVER-45367 Secure LDAP connections are broken when using Java 1.8u51, 1.8u60, 1.7.0_85+ and 1.6.0_101+

Closed

is related to

JRASERVER-44296 Update Java version bundled found in the installer to a version >= 1.8u51

Closed

JRASERVER-45367 Secure LDAP connections are broken when using Java 1.8u51, 1.8u60, 1.7.0_85+ and 1.6.0_101+

Closed

relates to

CONFSERVER-40671 Update Java version bundled found in the installer to a version >= 1.8u71

Closed

JPA-1288 Failed to load

included in

CPU-408 JIRA 7.2.0-OD-04-029

(1 included in)

Julia Simon (Inactive) added a comment - 25/Feb/2016 3:29 AM

Artifacts to test are here: https://jira-bamboo.internal.atlassian.com/browse/J71SPT-QA0-1/artifact

Julia Simon (Inactive) added a comment - 25/Feb/2016 3:29 AM Artifacts to test are here: https://jira-bamboo.internal.atlassian.com/browse/J71SPT-QA0-1/artifact

David Black added a comment - 04/Feb/2016 2:53 AM - edited

Using the cvss score for CVE-2016-0483.

CVSS score: 6.8 => High severity

Exploitability Metrics

AccessVector	Network
AccessComplexity	Medium
Authentication	None

Impact Metrics

ConfImpact	Partial
IntegImpact	Partial
AvailImpact	Partial

See https://extranet.atlassian.com/display/SECURITY/How+to+evaluate+vulnerability+severity+under+CVSS for details and http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 for score calculator.

David Black added a comment - 04/Feb/2016 2:53 AM - edited Using the cvss score for CVE-2016-0483. CVSS score: 6.8 => High severity Exploitability Metrics AccessVector Network AccessComplexity Medium Authentication None Impact Metrics ConfImpact Partial IntegImpact Partial AvailImpact Partial See https://extranet.atlassian.com/display/SECURITY/How+to+evaluate+vulnerability+severity+under+CVSS for details and http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 for score calculator.

Assignee:: Oswaldo Hernandez (Inactive)

Reporter:: David Black

Affected customers:: 0 This affects my team

Watchers:: 6 Start watching this issue

Created:: 04/Feb/2016 2:52 AM

Updated:: 28/Mar/2019 12:19 AM

Resolved:: 16/Mar/2016 4:34 AM

Jira Data Center

Details

Description

Attachments

Issue Links

Forms

Activity

Collapse comment: Julia Simon (Inactive) added a comment - 25/Feb/2016 3:29 AM

Expand comment: Julia Simon (Inactive) added a comment - 25/Feb/2016 3:29 AM

Collapse comment: David Black added a comment - 04/Feb/2016 2:53 AM, Edited by David Black - 05/Oct/2016 11:35 PM

Expand comment: David Black added a comment - 04/Feb/2016 2:53 AM, Edited by David Black - 05/Oct/2016 11:35 PM

People

Dates