[JRASERVER-71321] Upgrade the bundled version of Apache Tomcat to 8.5.57

Type: Bug
Resolution: Fixed
Priority: Medium (View bug fix roadmap)
Fix Version/s: 8.12.1, 8.13.0-EAP, 8.13.0, 8.5.9, 8.14.0, 8.14.1
Affects Version/s: 8.11.0, 8.12.0, 8.5.8
Component/s: Tomcat
Labels:

Fixed in Long Term Support Release/s:

Download 8.5
Introduced in Version:
8.05
Support reference count:
14
Symptom Severity:
Severity 2 - Major
UIS:
59
Bug Fix Policy:
View Atlassian Server bug fix policy

Issue Summary

The recently disclosed vulnerability regarding Apache Tomcat

CVE-2020-13934

affects the following versions:

Apache Tomcat 8.x from 8.5.1 to 8.5.56
Apache Tomcat 9.x from 9.0.0.M5 to 9.0.36
Apache Tomcat 10.x from 10.0.0-M1 to 10.0.0-M6

Additionally, the following disclosed vulnerability regarding Tomcat:

CVE-2020-13935

affects the following versions:

Apache Tomcat 7.x from 7.0.27 to 7.0.104
Apache Tomcat 8.x from 8.5.1 to 8.5.56
Apache Tomcat 9.x from 9.0.0.M5 to 9.0.36
Apache Tomcat 10.x from 10.0.0-M1 to 10.0.0-M6

We should bundle a more recent version of Tomcat so that Jira is not affected by this in the future.

Steps to Reproduce

Check the CVE reports:
- CVE-2020-13934
- CVE-2020-13935

Expected Results

Not applicable.

Actual Results

Not applicable.

Workaround

Manually upgrade Tomcat according to our documentation.

incorporates

CONFSERVER-60004 Upgrade Tomcat to version 9.0.37

Closed

is related to

JRASERVER-71221 Upgrade Apache Tomcat 8.5.50 - version affected by CVE-2020-9484

Closed

relates to

JRASERVER-72609 Upgrade the bundled version of Apache Tomcat to 8.5.68 or later

Closed

blocks: PS-62845 You do not have permission to view this issue

mentioned in: Page Failed to load

Andriy Yakovlev [Atlassian] made changes - 22/Sep/2021 3:55 PM

Link

New: This issue relates to ~~JRASERVER-72609~~ [ ~~JRASERVER-72609~~ ]

Mahtab made changes - 26/Nov/2020 12:08 AM

Fix Version/s		New: 8.14.1 [ 93491 ]
Fix Version/s		New: 8.14.0 [ 92899 ]

set-jac-bot made changes - 14/Oct/2020 10:09 AM

Fixed in Long Term Support Release/s

New: [Download 8.5|https://confluence.atlassian.com/enterprise/atlassian-enterprise-releases-948227420.html]

David Black made changes - 14/Oct/2020 4:35 AM

Link

New: This issue is related to ~~JRASERVER-71221~~ [ ~~JRASERVER-71221~~ ]

Bugfix Automation Bot made changes - 14/Oct/2020 3:30 AM

Introduced in Version

Original: 8.11

New: 8.05

David Black made changes - 14/Oct/2020 3:03 AM

Labels

Original: cvss-high dmb-legacy-jac-within security vulnerable-components

New: advisory advisory-released cvss-high dmb-legacy-jac-within security vulnerable-components

David Black made changes - 14/Oct/2020 2:56 AM

Affects Version/s

New: 8.12.0 [ 92098 ]

David Black made changes - 14/Oct/2020 2:55 AM

Affects Version/s

New: 8.5.8 [ 92036 ]

David Black made changes - 14/Oct/2020 2:55 AM

Fix Version/s

New: 8.13.0 [ 92100 ]

David Black made changes - 14/Oct/2020 2:54 AM

Fix Version/s

New: 8.5.9 [ 92910 ]

Assignee:: Pawel Cegla

Reporter:: Gregory Peres (Inactive)

Affected customers:: 15 This affects my team

Watchers:: 29 Start watching this issue

Created:: 17/Jul/2020 3:19 PM

Updated:: 14/Oct/2021 2:30 AM

Resolved:: 07/Sep/2020 4:10 PM

Jira Data Center

Details

Description

Issue Summary

Steps to Reproduce

Expected Results

Actual Results

Workaround

Attachments

Issue Links

Forms

Activity

People

Dates