Issue Summary

Since the release of JRASERVER-72339 , Jira 8.19.X ships with OpenJDK 11 however the bundled AdoptOpen JDK 11.0.11 is affected by CVE-2021-2388 :

• https://nvd.nist.gov/vuln/detail/CVE-2021-2388 - CVSS 3.1 Base Score 7.5
• Quote from doc

  This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

Steps to Reproduce

1. Use the bin installer to Install Jira 8.19.X
2. Check the JAVA version

Expected Results

Bundled JAVA version should not be affected by CVE-2021-2388

Actual Results

Bundled JAVA version is affected by CVE-2021-2388

Workaround

If you are using the embedded JAVA, change the JAVA version following the steps here:

• https://confluence.atlassian.com/jirakb/change-the-java-version-used-by-jira-server-765594330.html

Upgrade Java to the latest stable version of JDK ( 11.0.12+7 )

• https://adoptium.net/?variant=openjdk11
• https://www.oracle.com/java/technologies/javase/11all-relnotes.html