Dear Atlassian support,
we are using several of your products and had (again) in the team an extensive discussion in how we should use the bundled java version coming with a specific release or using the system wide java which is patched every 3 months following the Oracle quarterly announcements. Let me briefly summarize:
using always the latest system wide java bundle would make the atlassian product more secure, but there could be the chance that the product will not work anymore since we would use a version of java which is not anymore the bundled one which came originally with a specific version, like for Jira or so
alternatively, always update to the latest atlassian release assuming that the combination java bundle/software stack is secure
Since we have so many instances, following any of the two approaches mentioned above would be very time consuming, it would be by far more efficient if we would just be informed if a specific release of an atlassian software (including the java bundle) is a security risk, My question now is: is this information available at your end ? Do you bother about it or are you assuming that customers always use the latest versions ? So, it's basically the following: we installed Jira (incl. the java bundle) a year ago, that is the release we have. Assume now that the latest java release from Oracle comes out now and has a severe vulnerability which applies and can be exploited using the version of Jira we installed a year ago, do you then inform customers about it ? If so, would this information also provided to other security entities like the US-CERT and would be part of their weekly announcements ? Sorry for this very long email, but I'm sure your answer will help in our discussion, so, what would you recommend to to ?
Typically, best practices are to review the release notes for every release to see what is patched - including security patches.
Running server onprem, you'll want to get your team to upgrade Jira at least twice a year to stay current and get patches that would include the jvm.
If there's a major security issue found, Atlassian would send out an email and communicate that to its customer base as well as cross post online.
@Jack Graves [AC] first caught our eye with his incredible breakdown of what, in his opinion, can make or break a Jira software implementation. (Read his thoughts on this thread)! In this follow...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs