Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-71221

Upgrade Apache Tomcat 8.5.50 - version affected by CVE-2020-9484

XMLWordPrintable

      Issue Summary

      The recently disclosed vulnerability regarding Tomcat affects the following versions:

      Apache Tomcat 7x <7.0.103
      Apache Tomcat 8x <8.5.54
      Apache Tomcat 9x <9.0.34
      Apache Tomcat 10x < 10.0.0-M4

      We should bundle a more recent version of Tomcat, so that Jira is not affected by this in the future.

      Steps to Reproduce

      Expected Results

      • Not applicable.

      Actual Results

      • Not applicable.

      Workaround

            [JRASERVER-71221] Upgrade Apache Tomcat 8.5.50 - version affected by CVE-2020-9484

            Matt Doar added a comment -

            Looks like it made it into 8.5.9 on 2020-10-11

            Matt Doar added a comment - Looks like it made it into 8.5.9 on 2020-10-11

            MadhanTest added a comment -

            Any plans to address this in Jira 8.5.x LTS ?

            MadhanTest added a comment - Any plans to address this in Jira 8.5.x LTS ?

            mark_milgram added a comment -

            Any update of when it will be in Jira 8.5.x LTS ?

            mark_milgram added a comment - Any update of when it will be in Jira 8.5.x LTS ?

            chris anderson added a comment -

            Hi,

            Will this be back ported to the long term support release Jira 8.5.x?

            Thanks,

            Chris

            chris anderson added a comment - Hi, Will this be back ported to the long term support release Jira 8.5.x? Thanks, Chris

            Mateusz Marzęcki added a comment -

            The Tomcat has been upgraded to 8.5.56 as a part of https://jira.atlassian.com/browse/JRASERVER-70993

            Mateusz Marzęcki added a comment - The Tomcat has been upgraded to 8.5.56 as a part of  https://jira.atlassian.com/browse/JRASERVER-70993

            Hayden Le added a comment -

            CVSS v3 score: 7.0 => High severity

            Exploitability Metrics

            Attack Vector Local
            Attack Complexity High
            Privileges Required Low
            User Interaction None

            Scope Metric

            Scope Unchanged

            Impact Metrics

            Confidentiality High
            Integrity High
            Availability High

            See http://go.atlassian.com/cvss for more details.

            https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

            Hayden Le added a comment - CVSS v3 score: 7.0 => High severity Exploitability Metrics Attack Vector Local Attack Complexity High Privileges Required Low User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality High Integrity High Availability High See http://go.atlassian.com/cvss for more details. https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

              Unassigned Unassigned
              gperes@atlassian.com Gregory Peres (Inactive)
              Affected customers:
              1 This affects my team
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: