Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Tomcat Version Upgrade for JIRA Service Desk Instance

Giovanni Brown
Giovanni Brown July 21, 2021

Hi, 

First post so please let me know if any extra information is needed but I have the following question. 

“What is the best method to upgrading Tomcat from 5.5.57  to 5.5.68 when running Jira 8.13.0?

This is in concerning “CVE-2021-33037 HTTP request smuggling””

Thank you for any information you can provide on this, Jira Community!

Answer
Watch
Like Be the first to like this
590 views

1 answer

1 accepted

0 votes
Answer accepted
Daniel Eads
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 21, 2021

Hey @Giovanni Brown , welcome to the Community!

I must first mention that Atlassian only supports the configuration we bundle - each version of Jira is tested with the version of Tomcat it ships with in the installer/archive file. If you contact Atlassian Support for assistance through support.atlassian.com, we may be unable to support your instance if it's using a non-bundled Tomcat.

That said, if you must upgrade Tomcat to mitigate the CVE, the How to upgrade Apache Tomcat version used by Jira article provides instructions.

Our development teams regularly bundle new Tomcat versions with Jira, so if possible, it would be better to sit tight and upgrade Jira itself. As 8.13 is an LTS version, security fixes will be backported once available.

Cheers,
Daniel | Atlassian Support

View More Comments
Giovanni Brown
Giovanni Brown July 22, 2021

Hi @Daniel Eads

Thank you for the quick response. The only other question I have is concerning the backported update, will that be something that will be automatically applied or will I need to get that installation/upgrade started in the Jira Settings section and what would be the steps for this? Do you know if that will be a this month rollout or if it's looking like further out for the security fix?

Thanks for any information you can provide. 

Like
Daniel Eads
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 23, 2021

You would need to upgrade Jira using the installer/upgrader (or archive file if you prefer) - a guide is available at Upgrading Jira applications if that sounds unfamiliar. It would not be automatically applied, or available to apply in Jira's administration section.

In terms of timeline, the vulnerability you mentioned in Tomcat has a CVSSv3 score of 5.3. According to Atlassian's Security Bugfix Policy and the self-managed product timeline, there is a timeframe of within 90 days.

I would suggest watching this issue on our public Jira instance: JRASERVER-72609 as it has the task for upgrading Tomcat. When the task is complete, the issue will have a Fix Version of whichever point release in Jira 8.13.x will have the upgraded Tomcat bundled.

Like Giovanni Brown likes this
Giovanni Brown
Giovanni Brown July 29, 2021

Thank you so much!

Like
Giovanni Brown
Giovanni Brown October 18, 2021

Hi Support Team, 

I wanted to see if there has been any update to this! 

Like
Daniel Eads
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 20, 2021

Hi @Giovanni Brown ,

I would suggest watching this issue on our public Jira instance:  JRASERVER-72609When the task is complete, the issue will have a Fix Version of whichever point release in Jira 8.13.x will have the upgraded Tomcat bundled.

Cheers,
Daniel | Atlassian Community Support

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira Service Desk
Jira Service Management
TAGS
AUG Leaders

Atlassian Community Events

    See all events