[JRASERVER-70686] Upgrade Bouncy Castle to fix multiple CVEs

Type: Bug
Resolution: Fixed
Priority: Low (View bug fix roadmap)
Fix Version/s: 8.5.4, 8.8.0, 7.13.14, 8.7.2
Affects Version/s: 8.5.3, 7.13.13, 8.7.1
Component/s: Installation
Labels:

Fixed in Long Term Support Release/s:

Download 7.13, 8.5
Introduced in Version:
7.13
Symptom Severity:
Severity 3 - Minor
Bug Fix Policy:
View Atlassian Server bug fix policy

Issue Summary

Jira uses Bouncy Castle library in version 1.50 that's vulnerable to 10 CVEs:

https://www.cvedetails.com/cve/CVE-2015-7940/
https://www.cvedetails.com/cve/CVE-2016-1000338/
https://www.cvedetails.com/cve/CVE-2016-1000339/
https://www.cvedetails.com/cve/CVE-2016-1000341/
https://www.cvedetails.com/cve/CVE-2016-1000342/
https://www.cvedetails.com/cve/CVE-2016-1000343/
https://www.cvedetails.com/cve/CVE-2016-1000344/
https://www.cvedetails.com/cve/CVE-2016-1000345/
https://www.cvedetails.com/cve/CVE-2016-1000346/
https://www.cvedetails.com/cve/CVE-2016-1000352/

It is not clear if any of the vulnerabilities can actually be abused by an attacker.

The library should be updated to at least version 1.56 to fix those CVEs.
However, that version has other known vulnerabilities, so it's recommended to update it to at least 1.61.

Workaround

There is no known workaround for this behavior.

relates to: MNSTR-3657 You do not have permission to view this issue

Edson Araujo made changes - 01/Sep/2023 1:10 PM

Remote Link

Original: This issue links to "MNSTR-3657 (Bulldog)" [ 472180 ]

New: This issue links to "MNSTR-3657 (JIRA Server (Bulldog))" [ 472180 ]

Adrian Stephen made changes - 08/Mar/2021 11:22 AM

Security

Original: Reporter and Atlassian Staff [ 10751 ]

set-jac-bot made changes - 22/May/2020 8:26 AM

Fixed in Enterprise Release/s

New: [Download 7.13, 8.5|https://confluence.atlassian.com/enterprise/atlassian-enterprise-releases-948227420.html]

Security Metrics Bot made changes - 04/May/2020 7:23 AM

Link

New: This issue details JRASERVER-71001 [ JRASERVER-71001 ]

Security Metrics Bot made changes - 24/Mar/2020 2:10 AM

Link

New: This issue details JRASERVER-70815 [ JRASERVER-70815 ]

Przemyslaw Czuj made changes - 19/Mar/2020 4:03 PM

Resolution		New: Fixed [ 1 ]
Status	Original: Waiting for Release [ 12075 ]	New: Closed [ 6 ]

David Black made changes - 17/Mar/2020 11:35 PM

Labels

Original: cvss-high security vulnerable-components

New: cvss-high patch-management security vulnerable-components

Security Metrics Bot made changes - 26/Feb/2020 9:11 PM

Due Date

New: 27/May/2020

Security Metrics Bot made changes - 26/Feb/2020 9:11 PM

Labels

Original: security vulnerable-components

New: cvss-high security vulnerable-components

chris made changes - 26/Feb/2020 8:23 PM

Labels

Original: security

New: security vulnerable-components

Assignee:: Daniel Rauf

Reporter:: Daniel Rauf

Affected customers:: 0 This affects my team

Watchers:: 3 Start watching this issue

Created:: 21/Feb/2020 8:37 AM

Updated:: 01/Sep/2023 1:10 PM

Resolved:: 19/Mar/2020 4:03 PM

Jira Data Center

Details

Description

Issue Summary

Workaround

Attachments

Issue Links

Forms

Activity

People

Dates