Jira 8.19.X ships with JDK 11.0.11 which is affected by CVE-2021-2388

XMLWordPrintable

    • 8.19
    • 3
    • Severity 3 - Minor
    • 0

      Issue Summary

      Since the release of JRASERVER-72339 , Jira 8.19.X ships with OpenJDK 11 however the bundled AdoptOpen JDK 11.0.11 is affected by CVE-2021-2388 :

      • https://nvd.nist.gov/vuln/detail/CVE-2021-2388 - CVSS 3.1 Base Score 7.5
      • Quote from doc

        This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

      Steps to Reproduce

      1. Use the bin installer to Install Jira 8.19.X
      2. Check the JAVA version

      Expected Results

      Bundled JAVA version should not be affected by CVE-2021-2388

      Actual Results

      Bundled JAVA version is affected by CVE-2021-2388

      Workaround

      If you are using the embedded JAVA, change the JAVA version following the steps here:

      Upgrade Java to the latest stable version of JDK ( 11.0.12+7 )

            Assignee:
            Filip Nowak
            Reporter:
            Adrian Stephen (Inactive)
            Votes:
            4 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: