Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,298,558
Community Members
 
Community Events
165
Community Groups

OpenJDK Vulnerability CVE-2021-2388

Edited

 

The bin installer of Jira server 8.19 is using the JDK11.0.11, and is affected by the below vulnerability

 

Based on 20 Jul 21 OpenJDK advisory, 

https://openjdk.java.net/groups/vulnerability/advisories/2021-07-20

OpenJDK Vulnerability Advisory: 2021/07/20

The following vulnerabilities in OpenJDK source code were fixed in this release. The affected versions are 16.0.1, 15.0.3, 13.0.7, 11.0.11, 8u292, 7u301, and earlier. Please note that defense-in-depth issues are not assigned CVEs. We recommend that you upgrade as soon as possible.

https://nvd.nist.gov/vuln/detail/CVE-2021-2388

 

I have installed on-prem using the Jira 8.19 bin installer

 

Not sure if 8.19.1 has fixed this?

1 answer

0 votes

Hi jy,

I didn't find a reference to this fix in the release notes:

https://confluence.atlassian.com/jiracore/jira-core-8-19-x-release-notes-1082527670.html

I was also looking for a reference in the Atlasian Jira project that tracks fixes but didn't find CVE-2021-2388 :

https://jira.atlassian.com/issues/?jql=text%20~%20CVE-2021-2388

I tried to create a issue on this , but I  can't create as I do not have the permissions to.

If possible, can someone help to create a issue on this?

Thanks.

I installed the latest version 8.19.1, and check it is using AdoptOpenJDK11.0.11 , which is still affected by the CVE.

Hi everyone, thank you for reporting this. 


I have raised the bug here :

Like Carlos Garcia Navarro likes this

I like to ask on the workaround,

Install/download the version of Java required by JIRA (see Supported Platforms); - Install OpenJDK 11 RHEL rpm , is that OK?
Stop JIRA;
Set the path where you installed Java as the JAVA_HOME (JDK) or JRE_HOME (JRE) variables for JIRA (see instructions below);

Note: If JRE_HOME is not defined, Jira will define its value using the JAVA_HOME value

 

Go to the location where you installed JIRA, then to the bin folder;
Edit the setenv.sh file and add the line at the initial lines:

JAVA_HOME="/path/to/new/jdk"
Set PATH  to include the <Java>/bin folder
PATH="/path/to/new/jdk
 

After that the bin installer, should use the rpm OpenJDK instead of the bin installer AdoptOpenJDK?

i am using the bin installer and  I tried to change the JAVA_HOME last time but didnt work.

 

This was the last error faced:

 

check-java.sh

line 31:

if [ $java_version -ne 8]  && [ $java_version -ne 11]

 

I am using:

OpenJDK Runtime Environment 18.9 (build 11.0.12+7-LTS)

OpenJDK 64-Bit Server VM 18.9 (build 11.0.12+7-LTS, mixed mode, sharing)

I have updated to 8.21.1 and it's still using OpenJDK 11.0.11. In this link, https://jira.atlassian.com/browse/JRASERVER-72880?jql=text%20~%20CVE-2021-2388

it mentions that it was fixed in 8.20.4?

Any plans to fix this?

will like to check if  there is going to be fixed:

OpenJDK installed version: 11.0.11

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
SERVER
VERSION
8.19
TAGS
Community showcase
Published in Jira Software

Upcoming changes to epic fields in company-managed projects

👋 Hi there Jira Community! A few months ago we shared with you plans around renaming epics in your company-managed projects. As part of these changes, we highlighted upcoming changes to epics on...

14,875 views 37 49
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you