Hi f25acc213138 / i.murphy439501242,
Please see https://confluence.atlassian.com/adminjiraserver/configuring-apache-reverse-proxy-using-the-ajp-protocol-938847753.html
In summary, our products do not use AJP connectors by default - if you have not configured your instance to use the AJP connector, it is not vulnerable to the Ghostcat CVE.
Linked is a guide for customers who wish to use AJP anyway, but see the notes at the top of the page:
We recommend that you wait until Jira is bundled with the Tomcat version that fixes this issue, we’ll update this note once it’s released. For more info about this vulnerability, see:
CVE-2020-1938: Ghostcat - Apache Tomcat AJP File Read/Inclusion Vulnerability
Until then, if you need to use the AJP Connector, there are steps you can take to mitigate this issue. For more info, see this article.
and
Atlassian applications allow the use of reverse-proxies within our products, however Atlassian Support does not provide assistance for configuring them. Consequently, Atlassian can not guarantee providing any support for them.
If assistance with configuration is required, please raise a question on Atlassian Answers
Suggestion
JRASERVER-70993 The version of Apache Tomcat included with Jira Server is affected by CVE-2020-1935, CVE-2020-1938, CVE-2019-17569
RAID-1987 You do not have permission to view this issue
Page Failed to load
Hi f25acc213138 / i.murphy439501242,
Please see https://confluence.atlassian.com/adminjiraserver/configuring-apache-reverse-proxy-using-the-ajp-protocol-938847753.html
In summary, our products do not use AJP connectors by default - if you have not configured your instance to use the AJP connector, it is not vulnerable to the Ghostcat CVE.
Linked is a guide for customers who wish to use AJP anyway, but see the notes at the top of the page:
and