Is using the bundle java for atlassian products secure ?

Dear Atlassian support,

 

we are using several of your products and had (again) in the team an extensive discussion in how we should use the bundled java version coming with a specific release or using the system wide java which is patched every 3 months following the Oracle quarterly announcements. Let me briefly summarize:

using always the latest system wide java bundle would make the atlassian product more secure, but there could be the chance that the product will not work anymore since we would use a version of java which is not anymore the bundled one which came originally with a specific version, like for Jira or so

alternatively, always update to the latest atlassian release assuming that the combination java bundle/software stack is secure

Since we have so many instances, following any of the two approaches mentioned above would be very time consuming, it would be by far more efficient if we would just be informed if a specific release of an atlassian software (including the java bundle) is a security risk, My question now is: is this information available at your end ? Do you bother about it or are you assuming that customers always use the latest versions ? So, it's basically the following: we installed Jira (incl. the java bundle) a year ago, that is the release we have. Assume now that the latest java release from Oracle comes out now and has a severe vulnerability which applies and can be exploited using the version of Jira we installed a year ago, do you then inform customers about it ? If so, would this information also provided to other security entities like the US-CERT and would be part of their weekly announcements ? Sorry for this very long email, but I'm sure your answer will help in our discussion, so, what would you recommend to to ?

Kind regards

1 answer

0 vote

Typically, best practices are to review the release notes for every release to see what is patched - including security patches.  

Running server onprem, you'll want to get your team to upgrade Jira at least twice a year to stay current and get patches that would include the jvm.

If there's a major security issue found, Atlassian would send out an email and communicate that to its customer base as well as cross post online.

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Published May 21, 2018 in Jira Software

How large do you think Jira Software can grow?

Hi Atlassian Community! My name is Shana, and I’m on the Jira Software team. One of the many reasons this Community exists is to connect you to others on similar product journeys or with comparabl...

1,241 views 10 18
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you