-
Bug
-
Resolution: Fixed
-
Medium (View bug fix roadmap)
-
8.5.1, 8.17.1, 8.5.19, 8.13.11, 8.19.1, 8.20.0, 8.20.1, 8.20.2
-
8.05
-
24
-
Severity 3 - Minor
-
47
-
Issue Summary
The recently disclosed vulnerability regarding Apache Tomcat
- CVE-2021-33037, CVE-2021-33037 (Base Score: 5.3 MEDIUM)
- CVE-2021-42340 (NVD score not yet provided.)
The fix for bug 63362 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.
affects the following versions:
- Apache Tomcat 10.0.0-M1 to 10.0.6
- Apache Tomcat 9.0.0.M1 to 9.0.53
- Apache Tomcat 8.5.60 to 8.5.71
We should bundle a more recent version of Tomcat so that Jira is not affected by this in the future.
Current bundled version of Tomcat 8.5.68
Steps to Reproduce
- Check the CVE reports:
Expected Results
- Not applicable.
Actual Results
- Not applicable.
Workaround
- Manually upgrade Tomcat according to our documentation.
Note on fix
Jira 8.21.0 is shipped with Apache Tomcat 8.5.72
- is related to
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
JRASERVER-72346 Jira Server and Data Center affected by Tomcat CVE-2021-25329 and CVE-2021-25122
-
- Published
-
-
-
- Published
-
-
JSEC-1076 Loading...
-
-
- mentioned in
-
- relates to
-
[JRASERVER-72609] Upgrade the bundled version of Apache Tomcat to 8.5.68 or later
Jira LTS 8.20.5 still ships with Apache Tomcat/8.5.65 as such the affected versions needs to be updated.
This cannot be resolved / closed until the fix is released for LTS 8.20.2 is made available otherwise why release LTS versions? Expectation to upgrade Jira instance to fix security vulnerability from LTS version to minor version is unacceptable. Please reopen this BUG issue and provide the fix for LTS version.
How this can be closed with a fix in 8.21.0 if the latest LTS 8.20.2 is still vulnerable.
It's been 8 months since the issue is not fixed in any LTS release!
Agree with the Russell Berry above, the latest LTS Enterprise release Jira 8.20.2 is still on Apache Tomcat 8.5.65 released in April. This must be upgrade / fixed as matter of high priority to address the security vulnerabilities.
Hi, also see https://jira.atlassian.com/browse/JRASERVER-72914 for CVE-2021-42340
That ticket has unfortunately been created as a "bug" and not as a "Public Security Vulnerability" issue type and I believe that that ticket would warrant a higher priority.
This also affects Jira 8.20.0 and 8.20.1.
Upgrading the bundled Apache Tomcat to version 8.5.72 would fix the CVE's mentioned in this ticket, all of which are Public Securty Vulnerabilities I believe.
Will https://confluence.atlassian.com/jiracore/bundled-tomcat-and-java-versions-1013854250.html be updated to reflect Jira LTS 8.20.6 is upgraded with?