Uploaded image for project: 'Jira Server and Data Center'
  1. Jira Server and Data Center
  2. JRASERVER-65102

Update bundled Apache Tomcat due to security vulnerabilities

    XMLWordPrintable

    Details

    • Introduced in Version:
      7.03
    • Support reference count:
      29
    • Symptom Severity:
      Severity 2 - Major
    • UIS:
      288
    • Current Status:
      Hide
      Atlassian Update – 21 June 2018

      Hello everyone,

      Tomcat is currently being rolled out to 7.11.
      We will consider backporting it to 7.6.x soon.

      Sincerely,
      Piotr Suwała,
      Jira BugFix.

      Show
      Atlassian Update – 21 June 2018 Hello everyone, Tomcat is currently being rolled out to 7.11. We will consider backporting it to 7.6.x soon. Sincerely, Piotr Suwała, Jira BugFix.

      Description

      There are a few vulnerabilities reported:

      1. CVE-2017-5648 - http://mail-archives.us.apache.org/mod_mbox/www-announce/201704.mbox/%3C8a78e8fe-616e-1959-3c0e-26704fc72766@apache.org%3E
      2. CVE-2017-5650 - http://mail-archives.us.apache.org/mod_mbox/www-announce/201704.mbox/%3C6d8077ef-1bcb-d07b-0bd0-f70ab0043faf@apache.org%3E
      3. CVE-2017-5651 - http://mail-archives.us.apache.org/mod_mbox/www-announce/201704.mbox/%3C63a584ba-4db7-85d3-0206-c1164b9d26c6@apache.org%3E
      4. CVE-2016-6817 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6817
      5. CVE-2016-6816 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816

      For CVE-2017-5650 and CVE-2017-5651, the Severity is Important and:

      Versions Affected:

      • Apache Tomcat 9.0.0.M1 to 9.0.0.M18
      • Apache Tomcat 8.5.0 to 8.5.12
      • Apache Tomcat 8.0.x and earlier are not affected

      Users of the affected versions should apply one of the following
      mitigations:

      • Upgrade to Apache Tomcat 9.0.0.M19 or later
      • Upgrade to Apache Tomcat 8.5.13 or later

      Moving forward, fix versions of JIRA should be bundled with Tomcat 8.5.13/9.0.0.M19 or above.

      Workaround

      If Tomcat is to be manually upgraded, please refer to How to upgrade Apache Tomcat version in JIRA 7.x. Currently Tomcat 8.5.13 and 8.5.14 are available.

      Manually upgrading Tomcat is not recommended or supported.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              psuwala Piotr Suwala
              Reporter:
              astephen@atlassian.com Adrian Stephen
              Votes:
              20 Vote for this issue
              Watchers:
              46 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: