[JRASERVER-70686] Upgrade Bouncy Castle to fix multiple CVEs

Type: Bug
Resolution: Fixed
Priority: Low (View bug fix roadmap)
Fix Version/s: 8.5.4, 8.8.0, 7.13.14, 8.7.2
Affects Version/s: 8.5.3, 7.13.13, 8.7.1
Component/s: Installation
Labels:

Fixed in Long Term Support Release/s:

Download 7.13, 8.5
Introduced in Version:
7.13
Symptom Severity:
Severity 3 - Minor
Bug Fix Policy:
View Atlassian Server bug fix policy

Issue Summary

Jira uses Bouncy Castle library in version 1.50 that's vulnerable to 10 CVEs:

https://www.cvedetails.com/cve/CVE-2015-7940/
https://www.cvedetails.com/cve/CVE-2016-1000338/
https://www.cvedetails.com/cve/CVE-2016-1000339/
https://www.cvedetails.com/cve/CVE-2016-1000341/
https://www.cvedetails.com/cve/CVE-2016-1000342/
https://www.cvedetails.com/cve/CVE-2016-1000343/
https://www.cvedetails.com/cve/CVE-2016-1000344/
https://www.cvedetails.com/cve/CVE-2016-1000345/
https://www.cvedetails.com/cve/CVE-2016-1000346/
https://www.cvedetails.com/cve/CVE-2016-1000352/

It is not clear if any of the vulnerabilities can actually be abused by an attacker.

The library should be updated to at least version 1.56 to fix those CVEs.
However, that version has other known vulnerabilities, so it's recommended to update it to at least 1.61.

Workaround

There is no known workaround for this behavior.

relates to: MNSTR-3657 You do not have permission to view this issue

chris added a comment - 26/Feb/2020 8:22 PM

CVSS v3 score: 7.4 => High severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	High
Privileges Required	None
User Interaction	None

Scope Metric

Scope	Unchanged

Impact Metrics

Confidentiality	High
Integrity	High
Availability	None

See http://go.atlassian.com/cvss for more details.

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

chris added a comment - 26/Feb/2020 8:22 PM CVSS v3 score: 7.4 => High severity Exploitability Metrics Attack Vector Network Attack Complexity High Privileges Required None User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality High Integrity High Availability None See http://go.atlassian.com/cvss for more details. https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Assignee:: Daniel Rauf

Reporter:: Daniel Rauf

Affected customers:: 0 This affects my team

Watchers:: 3 Start watching this issue

Created:: 21/Feb/2020 8:37 AM

Updated:: 01/Sep/2023 1:10 PM

Resolved:: 19/Mar/2020 4:03 PM

Jira Data Center

Details

Description

Issue Summary

Workaround

Attachments

Issue Links

Forms

Activity

Collapse comment: chris added a comment - 26/Feb/2020 8:22 PM

Expand comment: chris added a comment - 26/Feb/2020 8:22 PM

People

Dates