Problem Definition
Atlassian ships products like Jira Server/Confluence Server with an Apache Tomcat webserver. Out of the box, we don't ship any products I am aware of that use the AJP connector.
However customers could enable this as a means to setup an apache reverse proxy with our products.
if they do this, they should be made aware of the recent CVE-2020-1938: Ghostcat - Apache Tomcat AJP File Read/Inclusion Vulnerability (CNVD-2020-10487) - Blog Tenable® and Apache Tomcat® - Apache Tomcat 8 vulnerabilities
Suggested Solution
We should at least update documents such as
- Integrating Jira with Apache using SSL - Atlassian Documentation
- Configuring Apache Reverse Proxy Using the AJP Protocol - Atlassian Documentation
- Integrating Jira applications with IIS - Atlassian Documentation
to have some kind of banner/warning about this CVE. This way we can at least try to prevent users on unpatched versions from making themselves vulnerable to a known attack.
Why this is important
Help keep customers secure. We should acknowledge these steps could be potentially leaving system vulnerable to an RCE attack.
- is detailed by
-
JRASERVER-70487 Upgrade Tomcat to 8.5.50 to fix CVE-2019-17563 & CVE-2019-12418
-
- Closed
-
this applies also for Confluence right? did not find a related Issue accordingly... is also not linked