-
Bug
-
Resolution: Fixed
-
High (View bug fix roadmap)
-
7.13.0, 7.6.12, 8.0.2
-
7.06
-
1
-
Severity 2 - Major
-
4
-
Issue Summary
- The current version of Tomcat 8.5.35 bundled with JIRA 8.0 is vulnerable to Denial of Service CVE-2019-0199.
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.38
Fixed Versions
- >= 8.5.38
- >= 9.0.16
Workaround
- Upgrade Tomcat via the steps mentioned in https://confluence.atlassian.com/jirakb/how-to-upgrade-apache-tomcat-version-in-jira-7-x-879957866.html?
- duplicates
-
-
- Closed
-
- mentioned in
-
Page Failed to load
[JRASERVER-69145] Upgrade Tomcat to the version 8.5.38 and later
Jira 8.2.3 has shipped with Tomcat 8.5.40.
Closing this issue as a result.
Hello. As one of the Jira and Confluence admins for Wells Fargo, yes - we would like this updated to 8.5.38 (really 8.5.39) or later, for both Server and Data Center version of both products. Thanks.
Andrew, this has not been addressed in Jira 7.13.5, the latest shipping version of 7.x. We are upgrading to that now to address a critical vulnerability, but I see that it still has Tomcat 8.5.35.
Also, the workaround suggested earlier breaks the support model, stating clearly up top that
"The information in this page relates to customisations in JIRA. Consequently, Atlassian Support cannot guarantee to provide any support for the steps described on this page as customisations are not covered under Atlassian Support Offerings. Please be aware that this material is provided for your information only and that you use it at your own risk."
Please reopen and escalate this request to address some of the vulnerabilities noted in https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-887/version_id-282038/Apache-Tomcat-8.5.35.html. I am relieved to see that the worst of those exploits, CVE-2019-0232, is limited to Windows, because my own instances run on Linux, but that won't make Information Security folks any less concerned about running obsolete middleware.