Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Tomcat Version Upgrade for JIRA Service Desk Instance

Hi, 

First post so please let me know if any extra information is needed but I have the following question. 

“What is the best method to upgrading Tomcat from 5.5.57  to 5.5.68 when running Jira 8.13.0?

This is in concerning “CVE-2021-33037 HTTP request smuggling””

Thank you for any information you can provide on this, Jira Community!

1 answer

0 votes
Daniel Eads Atlassian Team Jul 21, 2021

Hey @Giovanni Brown , welcome to the Community!

I must first mention that Atlassian only supports the configuration we bundle - each version of Jira is tested with the version of Tomcat it ships with in the installer/archive file. If you contact Atlassian Support for assistance through support.atlassian.com, we may be unable to support your instance if it's using a non-bundled Tomcat.

That said, if you must upgrade Tomcat to mitigate the CVE, the How to upgrade Apache Tomcat version used by Jira article provides instructions.

Our development teams regularly bundle new Tomcat versions with Jira, so if possible, it would be better to sit tight and upgrade Jira itself. As 8.13 is an LTS version, security fixes will be backported once available.

Cheers,
Daniel | Atlassian Support

Hi @Daniel Eads

Thank you for the quick response. The only other question I have is concerning the backported update, will that be something that will be automatically applied or will I need to get that installation/upgrade started in the Jira Settings section and what would be the steps for this? Do you know if that will be a this month rollout or if it's looking like further out for the security fix?

Thanks for any information you can provide. 

Daniel Eads Atlassian Team Jul 23, 2021

You would need to upgrade Jira using the installer/upgrader (or archive file if you prefer) - a guide is available at Upgrading Jira applications if that sounds unfamiliar. It would not be automatically applied, or available to apply in Jira's administration section.

In terms of timeline, the vulnerability you mentioned in Tomcat has a CVSSv3 score of 5.3. According to Atlassian's Security Bugfix Policy and the self-managed product timeline, there is a timeframe of within 90 days.

I would suggest watching this issue on our public Jira instance: JRASERVER-72609 as it has the task for upgrading Tomcat. When the task is complete, the issue will have a Fix Version of whichever point release in Jira 8.13.x will have the upgraded Tomcat bundled.

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Jira Service Management

Atlympic Event: Jira Service Managemnt

Hello Community!  Quick disclaimer: We are running a contest on Community (The Atlympics!) from July 23rd - August 8th of 2021. If you are interested in participating in this contest (prizes! ...

138 views 0 3
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you