Colin Xu added a comment - 10/Jun/2020 12:33 AM - edited Hi f25acc213138 / i.murphy439501242 , Please see https://confluence.atlassian.com/adminjiraserver/configuring-apache-reverse-proxy-using-the-ajp-protocol-938847753.html In summary, our products do not use AJP connectors by default - if you have not configured your instance to use the AJP connector, it is not vulnerable to the Ghostcat CVE. Linked is a guide for customers who wish to use AJP anyway, but see the notes at the top of the page: We recommend that you wait until Jira is bundled with the Tomcat version that fixes this issue, we’ll update this note once it’s released. For more info about this vulnerability, see: CVE-2020-1938: Ghostcat - Apache Tomcat AJP File Read/Inclusion Vulnerability Until then, if you need to use the AJP Connector, there are steps you can take to mitigate this issue. For more info, see this article . and Atlassian applications allow the use of reverse-proxies within our products, however Atlassian Support does not provide assistance for configuring them. Consequently, Atlassian can not guarantee providing any support for them. If assistance with configuration is required, please raise a question on Atlassian Answers

Sharada Moorthy (Inactive) added a comment - 08/Jun/2020 4:11 PM CVSS v3 score: 7.5 => High severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality None Integrity None Availability High See http://go.atlassian.com/cvss for more details. https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Iain Murphy added a comment - 18/Mar/2020 8:42 AM This is very important for us, if there are no plans to fix this are there any instructions on upgrading Tomcat separate from Jira?