Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,293,733
Community Members
 
Community Events
165
Community Groups

is jira 8.13.18 affected by CVE-2022-25762

We are using jira 8.13.18 server edittion of jira.

which intern uses 8.5.72 tomcat.

Are we affected ? should we upgrade to the corresponding LTS version.

 

Below is the explanation regarding the CVE for reference.

as per the CVE
CVE-2022-25762 Apache Tomcat - Request Mix-up

Severity: High

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.20
Apache Tomcat 8.5.0 to 8.5.75

Description:
If a web application sends a WebSocket message concurrently with the WebSocket connection closing, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 9.0.21 or later
- Upgrade to Apache Tomcat 8.5.76 or later

1 answer

0 votes
Clark Everson Community Leader May 17, 2022

Hi @suresh kumar 

https://confluence.atlassian.com/kb/faq-for-cve-2022-22965-1115149136.html Atlassian is still looking into it. But based on the products completed in research it is not. This link will most likely be updated when needed.

 

Best,
Clark

Hi Clark,

your links points on CVE-2022-22965 (Spring4shell), not on CVE-2022-25762 (Tomcat).

Why?

 

Regards,
Tom

Like Neli Steinlein likes this

Update to Jira 8.20.8 updates Tomcat to 8.5.78 (not affected version)
https://jira.atlassian.com/browse/JRASERVER-73773 

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Jira Software

Upcoming changes to epic fields in company-managed projects

👋 Hi there Jira Community! A few months ago we shared with you plans around renaming epics in your company-managed projects. As part of these changes, we highlighted upcoming changes to epics on...

14,123 views 34 44
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you