Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-70727

Documentation on configuring Jira Server with Apache AJP should note recent Ghost Cat CVE-2020-1938

XMLWordPrintable

    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Problem Definition

      Atlassian ships products like Jira Server/Confluence Server with an Apache Tomcat webserver. Out of the box, we don't ship any products I am aware of that use the AJP connector.

      However customers could enable this as a means to setup an apache reverse proxy with our products.
      if they do this, they should be made aware of the recent CVE-2020-1938: Ghostcat - Apache Tomcat AJP File Read/Inclusion Vulnerability (CNVD-2020-10487) - Blog Tenable® and Apache Tomcat® - Apache Tomcat 8 vulnerabilities

      Suggested Solution

      We should at least update documents such as

      to have some kind of banner/warning about this CVE. This way we can at least try to prevent users on unpatched versions from making themselves vulnerable to a known attack.

      Why this is important

      Help keep customers secure. We should acknowledge these steps could be potentially leaving system vulnerable to an RCE attack.

            tbartyzel Tomasz Bartyzel
            aheinzer Andy Heinzer
            Votes:
            5 Vote for this issue
            Watchers:
            14 Start watching this issue

              Created:
              Updated:
              Resolved: