-
Suggestion
-
Resolution: Unresolved
-
None
-
None
-
0
-
2
-
Problem
the current LTS version of Jira (9.12.14) is bundled with Eclipse Temurin 17.0.7 which has been released in April 2023 and is affected by a multitude of vulnerabilities. Please refer to the following OpenJDK Vulnerability Advisories for details:
17.0.7: https://openjdk.org/groups/vulnerability/advisories/2023-07-18
17.0.8: https://openjdk.org/groups/vulnerability/advisories/2023-10-17
17.0.9: https://openjdk.org/groups/vulnerability/advisories/2024-01-16
17.0.10: https://openjdk.org/groups/vulnerability/advisories/2024-04-16
17.0.11: https://openjdk.org/groups/vulnerability/advisories/2024-07-16
17.0.12: https://openjdk.org/groups/vulnerability/advisories/2024-10-15
Suggested Solution
Please update the bundled JDK to the current version 17.0.13 as soon as possible.
Why This Is Important
It is important to keep to Jira LTS version within the compliance standards and without any security vulnerabilities.
Also switching to a standalone JDK requires some manual effort if Atlassian doesn't bundle the Jira installer with Eclipse Temurin 17.0.13
Workaround
You can change the Java used by following the steps in How to change the Java version used by Jira Server and Data Center
[JSWSERVER-26146] Jira 9.12.14 LTS version installer is bundled with vulnerable Java version
| Support reference count | New: 2 |
| UIS | Original: 1 | New: 0 |
| UIS | New: 1 |