New CVE as of 10/4/2018.

CVE-2018-11784++++

Products & Version Affected:++++

Apache Tomcat 9.0.0.M1 to 9.0.11++++

Apache Tomcat 8.5.0 to 8.5.33++++

Apache Tomcat 7.0.23 to 7.0.90++++

Patch Number(s):++++

Apache Tomcat 9.0.12 or later++++

Apache Tomcat 8.5.34 or later++++

Apache Tomcat 7.0.91 or later

The last info that I had was that Jira is not supported using a non-bundled Tomcat. That would mean, should we follow the "Workaround", we would create a Jira-system that is not officially supported. Our customers are obviously not going to be happy with a workaround from the developer that essentially voids any support contract they might have. Are they any plans to create a new version with a patched Tomcat?

Please don't install 7.2.12.
Follow https://jira.atlassian.com/browse/JRASERVER-67974 if already did.

Tried 7.12..2 but got problem with health check that always report an application link problem. Th log analyzer never starts, just sit at 0%, waited 15 minutes and then rolled back to 7.12.1, which works fine.

Why is it closed as duplicate without any link to the duplicated issue? Does the 7.12.2 installer includes Tomcat 8.5.32? 7.12.2 Release Note does not show any fixed issues..

Thanks for clarifications..

blasberg2019614912 Sorry, my bad.
Fix versions have been updated.

Given that _https://jira.atlassian.com/browse/JRASERVER-67678_ is private, can you please update where this is to be fixed?

p.avens1658105765
The browser and server war is still going on: https://bz.apache.org/bugzilla/show_bug.cgi?id=62273.
The quick fix for problems you encountered is adding relaxedQueryChars="[]|{}\" to Connector in server.xml, as favourite filter query is using '[' and ']' in rest call which isn't escaped by browser.
We are still conducting testing to see if tomcat upgrade won't break anything more, so I recommend to wait a little more.

In around week I will update.

Do you have support ticket for it?

Sure I have - GHS-125241

-----------------------------------------------------------

Andy Nguyen 28/Aug/18 9:49 AM
Good day Pavels,

The only update we have for you today is, the bug ticket has been assigned:

_https://jira.atlassian.com/browse/JRASERVER-67678_
Take note that it's still private and you have no access. However, it's being worked on by the same developer that worked on this earlier (you have access):

_https://jira.atlassian.com/browse/JRASERVER-64394_
Currently it's in progress, nevertheless it may take some time so that we can be sure there's no compatibility problem in the code.

Would you prefer us to keep this ticket frozen for the time being?

Kind regards,
Andy

-----------------------------------------------------------

Are you using JIRA version with 8.5.29 tomcat or older?

Currently we use Jira 7.11.1 with the bundled Tomcat version 8.5.29

p.avens1658105765
Do you have support ticket for it?
Are you using JIRA version with 8.5.29 tomcat or older?

There were some changes needed for 8.5.29 to work previously.

Btw, I have rollbacked Tomcat to the bundled Jira version because serach filters do not work anymore after Tomcat manual upgrade. Atlassian is notified. Therefore still witing for a solution.

My understanding is that Atlassian will only support Jira with the bundled Tomcat. In a production environment, we can't install an unsupported version. As far as I can tell, nothing above 7.0 has a version of Tomcat without the problems. That means there is currently no fix for this problem.  Am I getting this  right?

I have upgraded manually Jira with the latest Apache Tomcat 8.5.33 using ZIP package.

If I use http://archive.apache.org/dist/tomcat/tomcat-8/v8.5.33/bin/apache-tomcat-8.5.33.tar.gz, the Jira server does not start.
If I use http://archive.apache.org/dist/tomcat/tomcat-8/v8.5.33/bin/apache-tomcat-8.5.33.zip, the Jira is started and being upgraded with Tomcat 8.5.33

Therefore the solution is: use zip package instead of tar.gzip.

Hello,
I'm now taking care of this issue.

p.avens1658105765
Could you supply more info?
I cannot reproduce.

Atlassian workers just do not understand the importance of these vulnerabilities
Anyone with a some specific programming knowledge can hack ANY current Jira Server instance.

CVE-2018-1336 Apache Tomcat - Denial of Service
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 9.0.0.M9 to 9.0.7
Apache Tomcat 8.5.0 to 8.5.30
Apache Tomcat 8.0.0.RC1 to 8.0.51
Apache Tomcat 7.0.28 to 7.0.86

Description: An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service.

CVE-2018-8037 Apache Tomcat - Information Disclosure
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 9.0.0.M9 to 9.0.9
Apache Tomcat 8.5.5 to 8.5.31

Description: A bug in the tracking of connection closures can lead to reuse of user sessions in a new connection.

We need to use a version of JIRA, that

a)  is supported by Atlassian

b) does not include applications, that include serious vulnerabilities

When may we expect a release of JIRA, that fixes these issues?

I am suprised to find no updates by Atlassian in this ticket, also it was created a week ago.

The new vulnerabilities reported by apache are very serious. They can be patched by Tomcat 8.5.32 only.

Currently the latest Tomcat available in Jira 7.11.1. is 8.5.29.

Manual tomacat  upgrade to version 8.5.32 for Jira 7.11.1 does not work.

The Jira server does not start, an error occurred:  Could not find or load main class org.apache.catalina.startup.Bootstrap

Please provide a new Jira server with the latest Tomcat 8.5.32 or provide with a solution for a manual Tomcat 8.5.32 upgrade for Jira 7.11.1