Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-70487

Upgrade Tomcat to 8.5.50 to fix CVE-2019-17563 & CVE-2019-12418

XMLWordPrintable

      Issue Summary

      The recently disclosed vulnerabilities regarding Apache Tomcat

      Which affects the following versions:

      • Apache Tomcat 8.x from 8.5.0 before 8.5.50

      We should bundle a more recent version of Tomcat so that Jira is not affected by this in the future.

      Steps to Reproduce

      • Not applicable.

      Expected Results

      • Not applicable.

      Actual Results

      • Not applicable.

      Workaround

            [JRASERVER-70487] Upgrade Tomcat to 8.5.50 to fix CVE-2019-17563 & CVE-2019-12418

            Daniel Rauf added a comment -

            dunterwurzacher all versions are affected, as the latest Tomcat we ship with Jira is 8.5.42

            Daniel Rauf added a comment - dunterwurzacher all versions are affected, as the latest Tomcat we ship with Jira is 8.5.42

            Denise Unterwurzacher [Atlassian] (Inactive) added a comment -

            Can we get a full list of the Jira versions that are affected?

            Can we also confirm if this fix will be backported to the Enterprise Releases?

            GSAC uses 8.5.35, and JAC is on8.5.42, so sounds like they are both affected. Please liase with my team (#help-itops) regarding any action we need to take to remedy them.

            Denise Unterwurzacher [Atlassian] (Inactive) added a comment - Can we get a full list of the Jira versions that are affected? Can we also confirm if this fix will be backported to the Enterprise Releases? GSAC uses 8.5.35, and JAC is on8.5.42, so sounds like they are both affected. Please liase with my team (#help-itops) regarding any action we need to take to remedy them.

            Mitchell Johnson added a comment - - edited

            This is an independent assessment and you should evaluate its applicability to your own IT environment.

            CVSS v3 score: 7.5 => High severity

            Exploitability Metrics

            Attack Vector Network
            Attack Complexity Low
            Privileges Required None
            User Interaction None

            Scope Metric

            Scope Unchanged

            Impact Metrics

            Confidentiality None
            Integrity None
            Availability High

            https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

            Mitchell Johnson added a comment - - edited This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 7.5 => High severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality None Integrity None Availability High https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

              pprzytarski Pawel Przytarski
              408c4e8c446d Michael Aglas
              Affected customers:
              0 This affects my team
              Watchers:
              20 Start watching this issue

                Created:
                Updated:
                Resolved: