Uploaded image for project: 'Jira Server and Data Center'
  1. Jira Server and Data Center
  2. JRASERVER-72609

Upgrade the bundled version of Apache Tomcat to 8.5.68 or later

    XMLWordPrintable

Details

    Description

      Issue Summary

      The recently disclosed vulnerability regarding Apache Tomcat

      • CVE-2021-33037, CVE-2021-33037 (Base Score: 5.3 MEDIUM)
      • CVE-2021-42340 (NVD score not yet provided.)

        The fix for bug 63362 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

      affects the following versions:

      • Apache Tomcat 10.0.0-M1 to 10.0.6
      • Apache Tomcat 9.0.0.M1 to 9.0.53
      • Apache Tomcat 8.5.60 to 8.5.71

      We should bundle a more recent version of Tomcat so that Jira is not affected by this in the future.
      Current bundled version of Tomcat 8.5.68

      Steps to Reproduce

      Expected Results

      • Not applicable.

      Actual Results

      • Not applicable.

      Workaround

      Note on fix

      Jira 8.21.0 is shipped with Apache Tomcat 8.5.72

      Attachments

        Issue Links

          Activity

            People

              pprzytarski Pawel Przytarski
              vshanmugam Vicknesh Shanmugam (Inactive)
              Votes:
              17 Vote for this issue
              Watchers:
              43 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: