Documentation on configuring Jira Server with Apache AJP should note recent Ghost Cat CVE-2020-1938

Problem Definition

Atlassian ships products like Jira Server/Confluence Server with an Apache Tomcat webserver. Out of the box, we don't ship any products I am aware of that use the AJP connector.

However customers could enable this as a means to setup an apache reverse proxy with our products.
if they do this, they should be made aware of the recent CVE-2020-1938: Ghostcat - Apache Tomcat AJP File Read/Inclusion Vulnerability (CNVD-2020-10487) - Blog Tenable® and Apache Tomcat® - Apache Tomcat 8 vulnerabilities

Suggested Solution

We should at least update documents such as

• Integrating Jira with Apache using SSL - Atlassian Documentation
• Configuring Apache Reverse Proxy Using the AJP Protocol - Atlassian Documentation
• Integrating Jira applications with IIS - Atlassian Documentation

to have some kind of banner/warning about this CVE. This way we can at least try to prevent users on unpatched versions from making themselves vulnerable to a known attack.

Why this is important

Help keep customers secure. We should acknowledge these steps could be potentially leaving system vulnerable to an RCE attack.