[JSWSERVER-26146] Jira 9.12.14 LTS version installer is bundled with vulnerable Java version - Create and track feature requests for Atlassian products.

Type: Suggestion
Resolution: Unresolved
Fix Version/s: None
Component/s: Versions
Labels:
None

UIS:
0
Feedback Policy:

We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

Problem

the current LTS version of Jira (9.12.14) is bundled with Eclipse Temurin 17.0.7 which has been released in April 2023 and is affected by a multitude of vulnerabilities. Please refer to the following OpenJDK Vulnerability Advisories for details:

17.0.7: https://openjdk.org/groups/vulnerability/advisories/2023-07-18
17.0.8: https://openjdk.org/groups/vulnerability/advisories/2023-10-17
17.0.9: https://openjdk.org/groups/vulnerability/advisories/2024-01-16
17.0.10: https://openjdk.org/groups/vulnerability/advisories/2024-04-16
17.0.11: https://openjdk.org/groups/vulnerability/advisories/2024-07-16
17.0.12: https://openjdk.org/groups/vulnerability/advisories/2024-10-15

Why This Is Important

It is important to keep to Jira LTS version within the compliance standards and without any security vulnerabilities.
Also switching to a standalone JDK requires some manual effort if Atlassian doesn't bundle the Jira installer with Eclipse Temurin 17.0.13

Workaround

You can change the Java used by following the steps in How to change the Java version used by Jira Server and Data Center

Loading...

Type: Suggestion
Resolution: Unresolved
Fix Version/s: None
Component/s: Versions
Labels:
None

UIS:
0
Feedback Policy:

We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

Problem

the current LTS version of Jira (9.12.14) is bundled with Eclipse Temurin 17.0.7 which has been released in April 2023 and is affected by a multitude of vulnerabilities. Please refer to the following OpenJDK Vulnerability Advisories for details:

17.0.7: https://openjdk.org/groups/vulnerability/advisories/2023-07-18
17.0.8: https://openjdk.org/groups/vulnerability/advisories/2023-10-17
17.0.9: https://openjdk.org/groups/vulnerability/advisories/2024-01-16
17.0.10: https://openjdk.org/groups/vulnerability/advisories/2024-04-16
17.0.11: https://openjdk.org/groups/vulnerability/advisories/2024-07-16
17.0.12: https://openjdk.org/groups/vulnerability/advisories/2024-10-15

Why This Is Important

It is important to keep to Jira LTS version within the compliance standards and without any security vulnerabilities.
Also switching to a standalone JDK requires some manual effort if Atlassian doesn't bundle the Jira installer with Eclipse Temurin 17.0.13

Workaround

You can change the Java used by following the steps in How to change the Java version used by Jira Server and Data Center

Assignee:: Unassigned

Reporter:: Baris Ilhan

Votes:: 1 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 31/Oct/2024 10:04 AM

Updated:: 31/Jan/2025 2:31 AM

Jira Software Data Center

Jira 9.12.14 LTS version installer is bundled with vulnerable Java version

Problem

Suggested Solution

Why This Is Important

Workaround

Jira 9.12.14 LTS version installer is bundled with vulnerable Java version

Problem

Suggested Solution

Why This Is Important

Workaround

Jira Software Data Center

Details

Description

Problem

Suggested Solution

Why This Is Important

Workaround

Attachments

Forms

Activity

Details

Description

Problem

Suggested Solution

Why This Is Important

Workaround

Attachments

Forms

Activity

People

Dates

Backbone Issue Sync

People

Dates

Backbone Issue Sync