Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Jira update for CVE-2018-1336 and CVE-2018-8037.

jimmo42
jimmo42 September 18, 2018

This may be more of a problem with the fact that I don't know (yet) how to navigate the Atlassian web site. I am looking for update information about the Tomcat security bugs CVE-2018-1336 and CVE-2018-8037. I see that Jira 7.12.1 is available, but I couldn't find information about what version of Tomcat it includes, so I downloaded the TGZ-File and extract the  tomcat-docs/RELEASE-NOTES file. That says "Apache Tomcat Version 8.5.29", which stiil has the vunerabilitis. I would prefer not downloading other versions to see if they have a fixed Tomcat.

Is there any current information on the status of a Jira version with a patched Tomcat?

Answer
Watch
Like Be the first to like this
472 views

1 answer

0 votes
Gabriele Franck
Gabriele Franck
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 18, 2018

Hi @jimmo42

 

With regards to CVE-2018-8037 and CVE-2018-1336 our security team is aware of these vulnerabilities and currently working on the fix. We however do not maintain a public bug ticket for you to watch at the moment (for security reasons).

With regards to Tomcat release (which is 8.5.32), I need to point out though, you will able to upgrade Tomcat if you are on the latest version of Jira 7.11. Referring to this KB article: https://confluence.atlassian.com/jirakb/how-to-upgrade-apache-tomcat-version-in-jira-7-x-879957866.html as notes: This article is mainly for users who are using JIRA latest version and encounter security vulnerability from the Apache Tomcat. If you are not using our JIRA latest version, please upgrade JIRA to have the latest fix instead of referring the steps here. 

 

Hope this helps!

Gabi

View More Comments
jimmo42
jimmo42 September 26, 2018

It is my understanding that Atlassian officially supports bundled versions of Tomcat only. That would mean that once we have upgraded Tomcat as described in the article, Jira is no longer officially supported. Further, in the article mentioned above, it explicitely states "Atlassian Support cannot guarantee to provide any support for the steps described on this page". In other words, the only workaround is not officially support by Atlassian and will create a version of Jira that is also not officially supported. Our customer is not going to be too happy that a non-supported fix is the only available solution to a security problem.

Is there any timeline when an offIcially supported fix will be available?

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events