[JRASERVER-70686] Upgrade Bouncy Castle to fix multiple CVEs

Type: Bug
Resolution: Fixed
Priority: Low (View bug fix roadmap)
Fix Version/s: 8.5.4, 8.8.0, 7.13.14, 8.7.2
Affects Version/s: 8.5.3, 7.13.13, 8.7.1
Component/s: Installation
Labels:

Fixed in Long Term Support Release/s:

Download 7.13, 8.5
Introduced in Version:
7.13
Symptom Severity:
Severity 3 - Minor
Bug Fix Policy:
View Atlassian Server bug fix policy

Issue Summary

Jira uses Bouncy Castle library in version 1.50 that's vulnerable to 10 CVEs:

https://www.cvedetails.com/cve/CVE-2015-7940/
https://www.cvedetails.com/cve/CVE-2016-1000338/
https://www.cvedetails.com/cve/CVE-2016-1000339/
https://www.cvedetails.com/cve/CVE-2016-1000341/
https://www.cvedetails.com/cve/CVE-2016-1000342/
https://www.cvedetails.com/cve/CVE-2016-1000343/
https://www.cvedetails.com/cve/CVE-2016-1000344/
https://www.cvedetails.com/cve/CVE-2016-1000345/
https://www.cvedetails.com/cve/CVE-2016-1000346/
https://www.cvedetails.com/cve/CVE-2016-1000352/

It is not clear if any of the vulnerabilities can actually be abused by an attacker.

The library should be updated to at least version 1.56 to fix those CVEs.
However, that version has other known vulnerabilities, so it's recommended to update it to at least 1.61.

Workaround

There is no known workaround for this behavior.

relates to: MNSTR-3657 You do not have permission to view this issue

Assignee:: Daniel Rauf

Reporter:: Daniel Rauf

Affected customers:: 0 This affects my team

Watchers:: 3 Start watching this issue

Created:: 21/Feb/2020 8:37 AM

Updated:: 01/Sep/2023 1:10 PM

Resolved:: 19/Mar/2020 4:03 PM

Jira Data Center

Details

Description

Issue Summary

Workaround

Attachments

Issue Links

Forms

Activity

People

Dates