[JRASERVER-71221] Upgrade Apache Tomcat 8.5.50 - version affected by CVE-2020-9484 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Low (View bug fix roadmap)
Fix Version/s: 8.11.0, 8.12.0, 8.5.9
Affects Version/s: 8.9.0
Component/s: Tomcat
Labels:

Fixed in Long Term Support Release/s:

Download 8.5
Introduced in Version:
8.09
Support reference count:
2
Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

Issue Summary

The recently disclosed vulnerability regarding Tomcat affects the following versions:

Apache Tomcat 7x <7.0.103
Apache Tomcat 8x <8.5.54
Apache Tomcat 9x <9.0.34
Apache Tomcat 10x < 10.0.0-M4

We should bundle a more recent version of Tomcat, so that Jira is not affected by this in the future.

Steps to Reproduce

Check the CVE report.

Expected Results

Not applicable.

Actual Results

Not applicable.

Workaround

Manually upgrade Tomcat according to our documentation.

relates to

JRASERVER-71321 Upgrade the bundled version of Apache Tomcat to 8.5.57

Closed

Matt Doar added a comment - 14/Oct/2020 4:00 PM

Looks like it made it into 8.5.9 on 2020-10-11

Matt Doar added a comment - 14/Oct/2020 4:00 PM Looks like it made it into 8.5.9 on 2020-10-11

set-jac-bot made changes - 14/Oct/2020 10:09 AM

Fixed in Long Term Support Release/s

New: [Download 8.5|https://confluence.atlassian.com/enterprise/atlassian-enterprise-releases-948227420.html]

David Black made changes - 14/Oct/2020 4:35 AM

Link

New: This issue relates to ~~JRASERVER-71321~~ [ ~~JRASERVER-71321~~ ]

David Black made changes - 14/Oct/2020 4:34 AM

Fix Version/s

New: 8.5.9 [ 92910 ]

David Black made changes - 14/Oct/2020 4:34 AM

Fix Version/s

New: 8.12.0 [ 92098 ]

David Black made changes - 14/Oct/2020 4:33 AM

Labels

Original: cvss-high security vulnerable-components

New: advisory advisory-released cvss-high security vulnerable-components

MadhanTest added a comment - 27/Aug/2020 2:06 PM

Any plans to address this in Jira 8.5.x LTS ?

MadhanTest added a comment - 27/Aug/2020 2:06 PM Any plans to address this in Jira 8.5.x LTS ?

mark_milgram added a comment - 13/Aug/2020 3:56 PM

Any update of when it will be in Jira 8.5.x LTS ?

mark_milgram added a comment - 13/Aug/2020 3:56 PM Any update of when it will be in Jira 8.5.x LTS ?

chris anderson added a comment - 30/Jul/2020 3:34 PM

Hi,

Will this be back ported to the long term support release Jira 8.5.x?

Thanks,

Chris

chris anderson added a comment - 30/Jul/2020 3:34 PM Hi, Will this be back ported to the long term support release Jira 8.5.x? Thanks, Chris

Ignat (Inactive) made changes - 15/Jul/2020 12:26 PM

Resolution		New: Fixed [ 1 ]
Status	Original: Waiting for Release [ 12075 ]	New: Closed [ 6 ]

Assignee:: Unassigned

Reporter:: Gregory Peres (Inactive)

Affected customers:: 1 This affects my team

Watchers:: 9 Start watching this issue

Created:: 25/Jun/2020 4:59 AM

Updated:: 14/Oct/2020 4:00 PM

Resolved:: 15/Jul/2020 12:26 PM

Jira Data Center

Details

Description

Issue Summary

Steps to Reproduce

Expected Results

Actual Results

Workaround

Attachments

Issue Links

Forms

Activity

[JRASERVER-71221] Upgrade Apache Tomcat 8.5.50 - version affected by CVE-2020-9484

Collapse comment: Matt Doar added a comment - 14/Oct/2020 4:00 PM

Expand comment: Matt Doar added a comment - 14/Oct/2020 4:00 PM

Collapse comment: MadhanTest added a comment - 27/Aug/2020 2:06 PM

Expand comment: MadhanTest added a comment - 27/Aug/2020 2:06 PM

Collapse comment: mark_milgram added a comment - 13/Aug/2020 3:56 PM

Expand comment: mark_milgram added a comment - 13/Aug/2020 3:56 PM

Collapse comment: chris anderson added a comment - 30/Jul/2020 3:34 PM

Expand comment: chris anderson added a comment - 30/Jul/2020 3:34 PM

People

Dates