[JRASERVER-70487] Upgrade Tomcat to 8.5.50 to fix CVE-2019-17563 & CVE-2019-12418

Type: Bug
Resolution: Fixed
Priority: Medium (View bug fix roadmap)
Fix Version/s: 8.9.0, 8.5.9
Affects Version/s: 8.6.1
Component/s: Tomcat
Labels:

Fixed in Long Term Support Release/s:

Download 8.5
Introduced in Version:
8.06
Support reference count:
29
Symptom Severity:
Severity 2 - Major
UIS:
611
Bug Fix Policy:
View Atlassian Server bug fix policy

Issue Summary

The recently disclosed vulnerabilities regarding Apache Tomcat

Which affects the following versions:

Apache Tomcat 8.x from 8.5.0 before 8.5.50

We should bundle a more recent version of Tomcat so that Jira is not affected by this in the future.

Steps to Reproduce

Not applicable.

Expected Results

Not applicable.

Actual Results

Not applicable.

Workaround

Manually upgrade Tomcat according to our documentation.

details

JRASERVER-70727 Documentation on configuring Jira Server with Apache AJP should note recent Ghost Cat CVE-2020-1938

Closed

JSDSERVER-6768 Jira Service Desk Security Vulnerability Tomcat AJP CNVD-2020-10487/CVE-2020-1938

Closed

is related to

JRASERVER-70993 The version of Apache Tomcat included with Jira Server is affected by CVE-2020-1935, CVE-2020-1938, CVE-2019-17569

Closed

resolves

JRASERVER-70127 Starting Jira 8 as a service on Windows with AdoptOpenJDK 11.0.4_11 causes an exception

Closed

mentioned in: Page Failed to load; Page Loading...; Page Loading...

relates to: RAID-1714 Loading...; RAID-1715 Loading...

(2 mentioned in, 2 relates to)

set-jac-bot made changes - 14/Oct/2020 10:09 AM

Fixed in Long Term Support Release/s

New: [Download 8.5|https://confluence.atlassian.com/enterprise/atlassian-enterprise-releases-948227420.html]

David Black made changes - 14/Oct/2020 5:38 AM

Description

Original: h3. Issue Summary

The recently disclosed vulnerabilities regarding Apache Tomcat
* [CVE-2019-12418|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418]
* [CVE-2019-17563|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563]

Which affects the following versions:

* Apache Tomcat 8.x from 8.5.0 to 8.5.50

We should bundle a more recent version of Tomcat so that Jira is not affected by this in the future.
h3. Steps to Reproduce
* Not applicable.

h3. Expected Results
* Not applicable.

h3. Actual Results
* Not applicable.

h3. Workaround
* Manually upgrade Tomcat according to our [documentation|https://confluence.atlassian.com/jirakb/how-to-upgrade-apache-tomcat-version-used-by-jira-879957866.html].

New: h3. Issue Summary

The recently disclosed vulnerabilities regarding Apache Tomcat
* [CVE-2019-12418|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418]
* [CVE-2019-17563|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563]

Which affects the following versions:

* Apache Tomcat 8.x from 8.5.0 before 8.5.50

We should bundle a more recent version of Tomcat so that Jira is not affected by this in the future.
h3. Steps to Reproduce
* Not applicable.

h3. Expected Results
* Not applicable.

h3. Actual Results
* Not applicable.

h3. Workaround
* Manually upgrade Tomcat according to our [documentation|https://confluence.atlassian.com/jirakb/how-to-upgrade-apache-tomcat-version-used-by-jira-879957866.html].

David Black made changes - 14/Oct/2020 5:29 AM

Link

New: This issue is related to ~~JRASERVER-70993~~ [ ~~JRASERVER-70993~~ ]

David Black made changes - 14/Oct/2020 5:27 AM

Summary

Original: Upgrade Tomcat to 8.5.50 to fix CVE-2019-17563 (9.8) & CVE-2019-12418 (7.0)

New: Upgrade Tomcat to 8.5.50 to fix CVE-2019-17563 & CVE-2019-12418

David Black made changes - 14/Oct/2020 5:03 AM

Labels

Original: cvss-high security vulnerable-components

New: advisory advisory-released cvss-high security vulnerable-components

David Black made changes - 14/Oct/2020 5:03 AM

Security

Original: Reporter and Atlassian Staff [ 10751 ]

David Black made changes - 14/Oct/2020 5:02 AM

Description

Original: h3. Issue Summary
Apache came with 2 new Security Vulnerabilities which are resolved in Tomcat 8.5.50
CVE-2019-12418 : https://nvd.nist.gov/vuln/detail/CVE-2019-12418 (7.0).
CVE-2019-17563 : https://nvd.nist.gov/vuln/detail/CVE-2019-17563 (9.8).

New: h3. Issue Summary

The recently disclosed vulnerabilities regarding Apache Tomcat
* [CVE-2019-12418|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418]
* [CVE-2019-17563|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563]

Which affects the following versions:

* Apache Tomcat 8.x from 8.5.0 to 8.5.50

We should bundle a more recent version of Tomcat so that Jira is not affected by this in the future.
h3. Steps to Reproduce
* Not applicable.

h3. Expected Results
* Not applicable.

h3. Actual Results
* Not applicable.

h3. Workaround
* Manually upgrade Tomcat according to our [documentation|https://confluence.atlassian.com/jirakb/how-to-upgrade-apache-tomcat-version-used-by-jira-879957866.html].

David Black made changes - 13/Oct/2020 10:26 PM

Fix Version/s

New: 8.5.9 [ 92910 ]

Grazyna Kaszkur made changes - 04/Jun/2020 6:00 AM

Remote Link

Original: This issue links to "Page (Confluence)" [ 487329 ]

Grazyna Kaszkur made changes - 04/Jun/2020 5:55 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 487329 ]

Assignee:: Pawel Przytarski

Reporter:: Michael Aglas

Affected customers:: 0 This affects my team

Watchers:: 20 Start watching this issue

Created:: 15/Jan/2020 3:29 PM

Updated:: 14/Oct/2020 10:09 AM

Resolved:: 20/May/2020 8:43 AM

Jira Data Center

Details

Description

Issue Summary

Steps to Reproduce

Expected Results

Actual Results

Workaround

Attachments

Issue Links

Forms

Activity

People

Dates