First post so please let me know if any extra information is needed but I have the following question.
“What is the best method to upgrading Tomcat from 5.5.57 to 5.5.68 when running Jira 8.13.0?
This is in concerning “CVE-2021-33037 HTTP request smuggling””
Thank you for any information you can provide on this, Jira Community!
Hey @Giovanni Brown , welcome to the Community!
I must first mention that Atlassian only supports the configuration we bundle - each version of Jira is tested with the version of Tomcat it ships with in the installer/archive file. If you contact Atlassian Support for assistance through support.atlassian.com, we may be unable to support your instance if it's using a non-bundled Tomcat.
That said, if you must upgrade Tomcat to mitigate the CVE, the How to upgrade Apache Tomcat version used by Jira article provides instructions.
Our development teams regularly bundle new Tomcat versions with Jira, so if possible, it would be better to sit tight and upgrade Jira itself. As 8.13 is an LTS version, security fixes will be backported once available.
Daniel | Atlassian Support
Hi @Daniel Eads
Thank you for the quick response. The only other question I have is concerning the backported update, will that be something that will be automatically applied or will I need to get that installation/upgrade started in the Jira Settings section and what would be the steps for this? Do you know if that will be a this month rollout or if it's looking like further out for the security fix?
Thanks for any information you can provide.
You would need to upgrade Jira using the installer/upgrader (or archive file if you prefer) - a guide is available at Upgrading Jira applications if that sounds unfamiliar. It would not be automatically applied, or available to apply in Jira's administration section.
In terms of timeline, the vulnerability you mentioned in Tomcat has a CVSSv3 score of 5.3. According to Atlassian's Security Bugfix Policy and the self-managed product timeline, there is a timeframe of within 90 days.
I would suggest watching this issue on our public Jira instance: JRASERVER-72609 as it has the task for upgrading Tomcat. When the task is complete, the issue will have a Fix Version of whichever point release in Jira 8.13.x will have the upgraded Tomcat bundled.
Hello Community! Quick disclaimer: We are running a contest on Community (The Atlympics!) from July 23rd - August 8th of 2021. If you are interested in participating in this contest (prizes! ...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events