Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: 8.20.30, 9.4.15, 9.12.2, 9.13.0
Affects Version/s: 8.20.0, 9.4.0, 9.12.0
Component/s: Security, Tomcat
Labels:

Introduced in Version:
8.2
CVSS Score:
7.5
Support reference count:
15
Symptom Severity:
Severity 3 - Minor
UIS:
29
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

Issue Summary

Apache Tomcat should be upgraded to 8.5.96 and later or 9.0.83 or a newer version to fix CVE-2023-46589

Jira 9.0.x to 9.12 currently come bundled with a version of Tomcat which is vulnerable.
Jira 8.x.x currently come bundled with a version of Tomcat which is vulnerable.

Tomcat versions bundles with Jira can be found in our Bundled Tomcat and Java versions article

This is reproducible on Data Center:

Steps to Reproduce

Check the Apache Tomcat version

Expected Results

LTS and new versions of Jira include Apache Tomcat version 9.0.83 and later

Actual Results

Apache Tomcat version 9.0.82 and earlier

Workaround

To mitigate the issue, it is possible to manually upgrade Apache Tomcat by following the process described in the KB article below but please note that this will place the application in an unsupported state:

How to upgrade Apache Tomcat version used by Jira

WARNING: Unless still reproducible on official releases, Atlassian Support may refuse support requests for Jira running over unofficial Tomcat versions.

Attachments

Issue Links

duplicates

JSWSERVER-25502 Request Smuggling org.apache.tomcat:tomcat-catalina Dependency in Jira Software Data Center and Server

Published

mentioned in: Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

(1 mentioned in)

Activity

People

Assignee:: Steve Watson

Reporter:: Allan O'Rourke

Votes:: 2 Vote for this issue

Watchers:: 20 Start watching this issue

Dates

Created:: 03/Dec/2023 11:55 PM

Updated:: 1 week ago 4:47 AM

Resolved:: 02/Jan/2024 2:04 PM