[JRASERVER-76699] Upgrade Tomcat to fix CVE-2023-46589

Type: Bug
Resolution: Fixed
Priority: High (View bug fix roadmap)
Fix Version/s: 8.20.30, 9.4.15, 9.12.2, 9.13.0
Affects Version/s: 8.20.0, 9.4.0, 9.12.0
Component/s: Security, Tomcat
Labels:

Introduced in Version:
8.2
CVSS Score:
7.5
Support reference count:
15
Symptom Severity:
Severity 3 - Minor
UIS:
29
Bug Fix Policy:
View Atlassian Server bug fix policy

Issue Summary

Apache Tomcat should be upgraded to 8.5.96 and later or 9.0.83 or a newer version to fix CVE-2023-46589

Jira 9.0.x to 9.12 currently come bundled with a version of Tomcat which is vulnerable.
Jira 8.x.x currently come bundled with a version of Tomcat which is vulnerable.

Tomcat versions bundles with Jira can be found in our Bundled Tomcat and Java versions article

This is reproducible on Data Center:

Steps to Reproduce

Check the Apache Tomcat version

Expected Results

LTS and new versions of Jira include Apache Tomcat version 9.0.83 and later

Actual Results

Apache Tomcat version 9.0.82 and earlier

Workaround

To mitigate the issue, it is possible to manually upgrade Apache Tomcat by following the process described in the KB article below but please note that this will place the application in an unsupported state:

How to upgrade Apache Tomcat version used by Jira

WARNING: Unless still reproducible on official releases, Atlassian Support may refuse support requests for Jira running over unofficial Tomcat versions.

duplicates

JSWSERVER-25502 Request Smuggling org.apache.tomcat:tomcat-catalina Dependency in Jira Software Data Center and Server

Published

mentioned in: Page Failed to load; Page Failed to load; Page Failed to load; Page Failed to load; Page Loading...

(1 mentioned in)

Form Name

Steve Watson added a comment - 25/Jan/2024 11:24 AM - edited

Hello 54794a758297 , thanks for getting in touch. This ticket was created manually, hence the discrepancy.

An official Jira ticket for this vulnerability does exist, but there has been a delay in publishing it. In the meantime, we shall update this ticket to match that one.

Also, when the official ticket is published it will be included in the next Security Bulletin.

Steve Watson added a comment - 25/Jan/2024 11:24 AM - edited Hello 54794a758297 , thanks for getting in touch. This ticket was created manually, hence the discrepancy. An official Jira ticket for this vulnerability does exist, but there has been a delay in publishing it. In the meantime, we shall update this ticket to match that one. Also, when the official ticket is published it will be included in the next Security Bulletin.

Alex Kulichkov added a comment - 24/Jan/2024 6:45 PM

I see that documentation has been updated to v.9.0.84,

Thanks!

Alex Kulichkov added a comment - 24/Jan/2024 6:45 PM I see that documentation has been updated to v.9.0.84, Thanks!

Alex Kulichkov added a comment - 22/Jan/2024 4:08 PM

Hello, so does Jira v.9.12.2 and JSM v.5.12.2 have bundled Tomcat v.9.0.83 or above? We have request from CISO to remediate this since December.

In documentation it still says Tomcat v.9.0.82

Alex Kulichkov added a comment - 22/Jan/2024 4:08 PM Hello, so does Jira v.9.12.2 and JSM v.5.12.2 have bundled Tomcat v.9.0.83 or above? We have request from CISO to remediate this since December. In documentation it still says Tomcat v.9.0.82

Ilkka Kiiskinen added a comment - 16/Jan/2024 10:43 AM

Bitbucket, Crowd and Bamboo have related vulnerability issue as priority high and CVSS score 7.5/High.
Refs:
https://jira.atlassian.com/browse/BSERV-19097
https://jira.atlassian.com/browse/CWD-6191
https://jira.atlassian.com/browse/BAM-25606

This issue is not listed in January 2024 Security Bulletin https://confluence.atlassian.com/security/security-bulletin-january-16-2024-1333335615.html
where as the three others are.

This issue does not have CVSS & CVE fields.
Is the vulnerability in Jira less critical compared to other Atlassian products?

Ilkka Kiiskinen added a comment - 16/Jan/2024 10:43 AM Bitbucket, Crowd and Bamboo have related vulnerability issue as priority high and CVSS score 7.5/High. Refs: https://jira.atlassian.com/browse/BSERV-19097 https://jira.atlassian.com/browse/CWD-6191 https://jira.atlassian.com/browse/BAM-25606 This issue is not listed in January 2024 Security Bulletin https://confluence.atlassian.com/security/security-bulletin-january-16-2024-1333335615.html where as the three others are. This issue does not have CVSS & CVE fields. Is the vulnerability in Jira less critical compared to other Atlassian products?

Assignee:: Steve Watson

Reporter:: Allan O'Rourke

Affected customers:: 2 This affects my team

Watchers:: 19 Start watching this issue

Created:: 03/Dec/2023 11:55 PM

Updated:: 22/Apr/2024 4:47 AM

Resolved:: 02/Jan/2024 2:04 PM

Details

Description

Issue Summary

Steps to Reproduce

Expected Results

Actual Results

Workaround

Attachments

Issue Links

Forms

Activity

Collapse comment: Steve Watson added a comment - 25/Jan/2024 11:24 AM, Edited by Steve Watson - 25/Jan/2024 11:27 AM

Expand comment: Steve Watson added a comment - 25/Jan/2024 11:24 AM, Edited by Steve Watson - 25/Jan/2024 11:27 AM

Collapse comment: Alex Kulichkov added a comment - 24/Jan/2024 6:45 PM

Expand comment: Alex Kulichkov added a comment - 24/Jan/2024 6:45 PM

Collapse comment: Alex Kulichkov added a comment - 22/Jan/2024 4:08 PM

Expand comment: Alex Kulichkov added a comment - 22/Jan/2024 4:08 PM

Collapse comment: Ilkka Kiiskinen added a comment - 16/Jan/2024 10:43 AM

Expand comment: Ilkka Kiiskinen added a comment - 16/Jan/2024 10:43 AM

People

Dates