Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-72609

Upgrade the bundled version of Apache Tomcat to 8.5.68 or later

    XMLWordPrintable

Details

    Description

      Issue Summary

      The recently disclosed vulnerability regarding Apache Tomcat

      • CVE-2021-33037, CVE-2021-33037 (Base Score: 5.3 MEDIUM)
      • CVE-2021-42340 (NVD score not yet provided.)

        The fix for bug 63362 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

      affects the following versions:

      • Apache Tomcat 10.0.0-M1 to 10.0.6
      • Apache Tomcat 9.0.0.M1 to 9.0.53
      • Apache Tomcat 8.5.60 to 8.5.71

      We should bundle a more recent version of Tomcat so that Jira is not affected by this in the future.
      Current bundled version of Tomcat 8.5.68

      Steps to Reproduce

      Expected Results

      • Not applicable.

      Actual Results

      • Not applicable.

      Workaround

      Note on fix

      Jira 8.21.0 is shipped with Apache Tomcat 8.5.72

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. JRASERVER-71321 Upgrade the bundled version of Apache Tomcat to 8.5.57

          • Medium - Medium priority issues
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. JRASERVER-72211 Tomcat PersistenceManager vulnerabilities - CVE-2021-25329 and CVE-2021-25122

          • Low - Low priority issues
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. JRASERVER-72310 8.5 and 8.13 LTS releases should bundle Tomcat 8.5.63 or higher

          • Low - Low priority issues
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. JRASERVER-72914 Jira is affected by Tomcat CVE-2021-42340 - Denial of service via an OutOfMemoryError

          • Low - Low priority issues
          • Closed

          Public Security Vulnerability - JRASERVER-72346 Jira Server and Data Center affected by Tomcat CVE-2021-25329 and CVE-2021-25122

          • Low - Low priority issues
          • Published

          Public Security Vulnerability - JRASERVER-72706 Jira is affected by Tomcat CVE-2020-13943

          • Low - Low priority issues
          • Published

          JSEC-1076 Loading...

          JSEC-1078 Loading...

          JSEC-1079 Loading...

          mentioned in

          Page Loading...

          relates to

          JSEC-950 Loading...

          Activity

            People

              pprzytarski Pawel Przytarski
              vshanmugam Vicknesh Shanmugam (Inactive)
              Votes:
              17 Vote for this issue
              Watchers:
              42 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: