[JRASERVER-70993] The version of Apache Tomcat included with Jira Server is affected by CVE-2020-1935, CVE-2020-1938, CVE-2019-17569

Type: Bug
Resolution: Fixed
Priority: Medium (View bug fix roadmap)
Fix Version/s: 8.11.0, 8.12.0, 8.5.9
Affects Version/s: 8.6.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.5.8
Component/s: Tomcat
Labels:

Fixed in Long Term Support Release/s:

Download 8.5
Introduced in Version:
8.05
Support reference count:
19
Symptom Severity:
Severity 2 - Major
UIS:
48
Bug Fix Policy:
View Atlassian Server bug fix policy

Issue Summary

The recently disclosed vulnerabilities regarding Apache Tomcat

Which affects the following versions:

Apache Tomcat 8.x from 8.5.0 before 8.5.51

We should bundle a more recent version of Tomcat so that Jira is not affected by this in the future.

Steps to Reproduce

Not applicable.

Expected Results

Not applicable.

Actual Results

Not applicable.

Workaround

Manually upgrade Tomcat according to our documentation.

is related to

JSWSERVER-20471 Security Vulnerability Tomcat AJP CNVD-2020-10487/CVE-2020-1938

Closed

relates to

JRASERVER-73223 Upgrade Tomcat to version 8.5.75 - CVE-2020-9484/CVE-2022-23181

Closed

JRASERVER-70487 Upgrade Tomcat to 8.5.50 to fix CVE-2019-17563 & CVE-2019-12418

Closed

VULN-191760 Failed to load

RAID-1987 You do not have permission to view this issue

mentioned in: Page Loading...; Page Loading...; Page Loading...

(3 mentioned in)

Mitchell Johnson added a comment - 07/May/2020 9:31 PM - edited

This is an independent assessment and you should evaluate its applicability to your own IT environment.

CVSS v3 score: 4.8 => Medium severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	High
Privileges Required	None
User Interaction	None

Scope Metric

Scope	Unchanged

Impact Metrics

Confidentiality	Low
Integrity	Low
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Mitchell Johnson added a comment - 07/May/2020 9:31 PM - edited This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 4.8 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity High Privileges Required None User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality Low Integrity Low Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Assignee:: Pawel Przytarski

Reporter:: Solomon Cherian

Affected customers:: 0 This affects my team

Watchers:: 15 Start watching this issue

Created:: 30/Apr/2020 9:04 AM

Updated:: 02/Jan/2024 5:31 PM

Resolved:: 15/Jul/2020 12:26 PM

Jira Data Center

Details

Description

Issue Summary

Steps to Reproduce

Expected Results

Actual Results

Workaround

Attachments

Issue Links

Forms

Activity

Collapse comment: Mitchell Johnson added a comment - 07/May/2020 9:31 PM, Edited by David Black - 14/Oct/2020 5:35 AM

Expand comment: Mitchell Johnson added a comment - 07/May/2020 9:31 PM, Edited by David Black - 14/Oct/2020 5:35 AM

People

Dates