Could CVE-2020-17527 affect the security of Jira and Confluence versions that are bundled with insecure Tomcat versions?
Hello Sam,
Our security team is assessing this particular CVE per our security bug-fix policy (NVD has scored this as 'high' in Tomcat). This message is simply an acknowledgment that the particular CVE is being evaluated at Atlassian. While I don't have details to share at the moment, I will update this answer when more information does become available. Thanks for being alert and on top of CVEs!
Cheers,
Daniel | Atlassian Support
Hi Daniel, thank you for your response! I actually raised a ticket with Atlassian about this, and they confirmed that this would only affect the instances if Tomcat used HTTP/2. I was able to verify that none of our instances use HTTP/2 by going to the server.xml and looking at the following line:
<Connector port="8080" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^\`"<>" maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false" maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443" acceptCount="100" disableUploadTimeout="true" bindOnInit="false"/>
Because of the line "protocol="HTTP/1.1"", I was able to verify that this would not affect our instances.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.