Jira software 8.17 has jdk vulnerabilities

I have tried with the second solution, install own openjdk rpm then set the JAVA_HOME to point to the openjdk java path in setenv.sh. I remembered I tried this and the Jira Application didnt start. Seems like some of the paths are still using the jdk in the jira path. Not sure what went wrong.

I am not sure what you mean by 

set the JAVA_HOME to point to the openjdk java path in setenv.sh

You should not have to touch the setenv.sh file in order to make this work.

Try following the documentation guide for setting JAVA_HOME as explained in Jira Server: Installing Java:

On Linux

The JAVA_HOME environment variable is sometimes set in the /etc/environment file. You'll need to modify its value to JAVA_HOME="path/to/JAVA_HOME".

1. If JAVA_HOME is not defined in this file, set it using the following command at a shell prompt, when logged in with 'root' level permissions:

   export JAVA_HOME="path/to/JAVA_HOME" >> /etc/environment

2. Log out for these changes to apply.

Once that is done, log back into that session and try

echo $JAVA_HOME

to see what value is returned in the terminal.  If this is working as expected, then you should get back the path of your installed Java version.  If the path is correct, then try to start Jira.

so can you tell me what ver is supported 

I have done yum install java-11-openjdk-devel

After that I did as what you did, I added the

export JAVA_HOME="/usr/bin/java" >>/etc/environment

Then I stop-jira.sh and start-jira.sh

Then when I start jira

It is using JRE_HOME=/opt/atlassian/jira/jre

how do you know that atlassian jira is using the jdk that you use and not the inbuilt jdk?

Note that I used the bin installation not the tar.gz installation way to install.

So the bin installer for linux, and the exe installer for windows will bundle Java when Jira is installed.  But the other install packages such as the .zip or .tar.gz do not do this.  Thanks for letting me know that part.  It is possible that your setenv.sh might have a JRE_HOME parameter defined there.   If it does, just comment out that line with a # at the beginning of that line and save that file. 

But the JAVA_HOME parameter is not defined in the setenv.sh file in my experience.  Provided that a JAVA_HOME is defined the way we expect in this environment, Jira will use that when starting up if JRE_HOME is not defined.  You can also use a terminal command such as

which java 

to see which path of Java is called by that user.

In regards to what versions of Java are supported in Jira, please see our supported platforms page.  At least in the current version of Jira 8.18.1, Java 8 and 11 are supported from either Oracle or the OpenJDK distributions. 

I am using a lInux bin installer

  It is possible that your setenv.sh might have a JRE_HOME parameter defined there.   If it does, just comment out that line with a # at the beginning of that line and save that file. 

Just comment out JRE_HOME in the setenv.sh? Then, I restart the server and it will work?

I remembered I tried this before, the tomcat failed to start properly.

Then it will use the JAVA_HOME environment variable defined in /etc/environment?

At least in the current version of Jira 8.18.1, Java 8 and 11 are supported from either Oracle or the OpenJDK distributions. 

Yes , I am using OpenJDK11 as seen below:

yum install java-11-openjdk-devel

Please suggest which method should I proceed with

1. Uninstall the existing jira software and use the tar gz method to install the jira software since the bin method just not recognize the JRE_HOME 

2. Change some JRE_HOME environment variable in setenv.sh in Jira software.

Please let us know which is more preferred.

Personally, I would comment out the line that sets the JRE_HOME if found in that file.  Provided the JAVA_HOME is set correctly, Jira will default to use that when JRE_HOME is not defined.

Alternatively, you can create a fresh install using a tar.gz install package, but I can't say which is preferable in all cases.

there's no JRE_HOME in setenv.sh

I commented JAVA_HOME in setenv.sh

/opt/atlassian/jira/bin/check-java.sh line:31 [:-ne:unary operator expected

/opt/atlassian/jira/bin/set-gc-params.sh line:5 [:-ge :unary operator expected

Tried changing JAVA_HOME =/bin/java in setenv.sh , still the above same result

I won't want to go the fresh install route

If the bin installer is there, I am not sure why they "force" the user to use the in built atlassian JRE and dont allow the user to use the java installed in their own environmet

check-java.sh

line 31:

if [ $java_version -ne 8]  && [ $java_version -ne 11]

I am using:

OpenJDK Runtime Environment 18.9 (build 11.0.12+7-LTS)

OpenJDK 64-Bit Server VM 18.9 (build 11.0.12+7-LTS, mixed mode, sharing)

if you can help me to resolve this unary operator issue, and Jira application can run using the yum install openjdk successfully using the in built java for  Jira bin environment, I will straightaway mark this as solved.

That error of

unary operator expected

is a pretty clear indicator that the JAVA_HOME is not set correctly here.  JAVA_HOME is not expected to be set in the setenv.sh file, as I have tried to explain previously.  It is expected to be a system variable.  You should be able to run a terminal command such as

echo $JAVA_HOME

and then see the expected path in which your desired Java exists.  What value do you see when running that command?

Have you completed the instructions for setting the JAVA_HOME as found in https://confluence.atlassian.com/adminjiraserver/installing-java-938846828.html ?

On Linux

The JAVA_HOME environment variable is sometimes set in the /etc/environment file. You'll need to modify its value to JAVA_HOME="path/to/JAVA_HOME".

1. If JAVA_HOME is not defined in this file, set it using the following command at a shell prompt, when logged in with 'root' level permissions:

   export JAVA_HOME="path/to/JAVA_HOME" >> /etc/environment

2. Log out for these changes to apply.

Please try this and let me know the results.

Andy

 JAVA_HOME is not defined in this file, set it using the following command at a shell prompt, when logged in with 'root' level permissions:

export JAVA_HOME="path/to/JAVA_HOME" >> /etc/environment

Yes , I tried this with root permissions.

echo $JAVA_HOME

/bin/java

In the setenv.sh, I should comment out JAVA_HOME and not set the env there?

In the setenv.sh it specifically said do not comment out JAVA_HOME

I remember I set the JAVA_HOME environment variable there and it get the unary operator error.

I have done all the above, if you have used a bin installation , you can try to set the JAVA_HOME both in the environment and in the setenv.sh, you should be able to simulate the unary operator error, if you tried to use any Java other than the atlassian jre

Jira software 8.19 seems to have upgraded their inbuilt JRE.

I will try using the 8.19 bin file to upgrade the existing installation to check if it has resolved the issue.

https://confluence.atlassian.com/jirasoftware/jira-software-8-19-x-upgrade-notes-1082527584.html

Used the Jira software 8.19 bin file to upgrade existing,and run using its default JRE.

These are the vulnerabilities found:

- Apache Tomcat vulnerability

The version installed is 8.5.65 has HTTP transfer encoding request header vulnerability (CVE-2021-33037)

Recommendation: Upgrade Apache Tomcat to 8.5.68, where vulnerability is fixed.