Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,298,400
Community Members
 
Community Events
165
Community Groups

Tomcat Version Upgrade for JIRA Service Desk Instance

Hi, 

First post so please let me know if any extra information is needed but I have the following question. 

“What is the best method to upgrading Tomcat from 5.5.57  to 5.5.68 when running Jira 8.13.0?

This is in concerning “CVE-2021-33037 HTTP request smuggling””

Thank you for any information you can provide on this, Jira Community!

1 answer

1 accepted

0 votes
Answer accepted
Daniel Eads Atlassian Team Jul 21, 2021

Hey @Giovanni Brown , welcome to the Community!

I must first mention that Atlassian only supports the configuration we bundle - each version of Jira is tested with the version of Tomcat it ships with in the installer/archive file. If you contact Atlassian Support for assistance through support.atlassian.com, we may be unable to support your instance if it's using a non-bundled Tomcat.

That said, if you must upgrade Tomcat to mitigate the CVE, the How to upgrade Apache Tomcat version used by Jira article provides instructions.

Our development teams regularly bundle new Tomcat versions with Jira, so if possible, it would be better to sit tight and upgrade Jira itself. As 8.13 is an LTS version, security fixes will be backported once available.

Cheers,
Daniel | Atlassian Support

Hi @Daniel Eads

Thank you for the quick response. The only other question I have is concerning the backported update, will that be something that will be automatically applied or will I need to get that installation/upgrade started in the Jira Settings section and what would be the steps for this? Do you know if that will be a this month rollout or if it's looking like further out for the security fix?

Thanks for any information you can provide. 

Daniel Eads Atlassian Team Jul 23, 2021

You would need to upgrade Jira using the installer/upgrader (or archive file if you prefer) - a guide is available at Upgrading Jira applications if that sounds unfamiliar. It would not be automatically applied, or available to apply in Jira's administration section.

In terms of timeline, the vulnerability you mentioned in Tomcat has a CVSSv3 score of 5.3. According to Atlassian's Security Bugfix Policy and the self-managed product timeline, there is a timeframe of within 90 days.

I would suggest watching this issue on our public Jira instance: JRASERVER-72609 as it has the task for upgrading Tomcat. When the task is complete, the issue will have a Fix Version of whichever point release in Jira 8.13.x will have the upgraded Tomcat bundled.

Like Giovanni Brown likes this

Thank you so much!

Hi Support Team, 

I wanted to see if there has been any update to this! 

Daniel Eads Atlassian Team Oct 20, 2021

Hi @Giovanni Brown ,

I would suggest watching this issue on our public Jira instance:  JRASERVER-72609When the task is complete, the issue will have a Fix Version of whichever point release in Jira 8.13.x will have the upgraded Tomcat bundled.

Cheers,
Daniel | Atlassian Community Support

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Jira Service Management

Coming Soon: Insight Changing to Assets

The 2020 acquisition of Mindville added powerful asset and configuration management capabilities to Jira Service Management in the form of Insight. Following the completion of that integration, custo...

284 views 2 9
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you