It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Heartbleed: Serious OpenSSL vulnerability

How does this OpenSSL vulnerability affect JIRA

We are using JIRA v4.3.4#620-r152668) and with SSL - goDaddy CA.

8 answers

1 accepted

2 votes
Answer accepted

Hi Jijo,

it *could* be affected, see:

It depends on if you're running Apache-Native or not, I always have a webserver in front of Tomcat for ssl connections so I'm not entirely sure about your tomcat instance.

If you have access to a linux box (or a Mac) you can install this script and test for yourself:

It depends on the webserver you're using. If you're using IIS your not affected for once. If you're using Apache on Windows you may be affected. I'm not sure what ssl library Apache on Windows uses.

If you're brave you can past the url to your Jira instance here to find out if you're vulnerable or not:

Note: this comment applies only to standalone distributions, the ones that come with a built in web server.

If you have followed our instructions on configuring SSL in any product (for example,, you are not using Tomcat’s APR and “native” OpenSSL libraries, but Java’s own implementation in Java SSL does not even support hearbeats.

If you scroll down that page, you will see that the config for APR OpenSSL is different. It includes directives such as SSLCertificateFile and SSLCertificateKeyFile.

Moreover, Fisheye & Crucible installs Jetty instead of Tomcat. Jetty uses too.

If you have installed a WAR distribution, then we are not handling SSL and the app container might be using host’s libraries. Again, if you configured the server not to use APR, you’re fine.

See also

Hi Jijo,

if you're using one of the affected distributions you should upgrade at least openssl/libopenssl, restart apache, change your passwords, create a new server.key & server.csr and rekey the certificate (afaik this is without costs at Godaddy).

Ubuntu 10.x is not affected, Ubuntu 12.04 LTS is affected. Centos6/RHEL6 is also affected.

For Ubuntu you can upgrade just openssl with the following commands:

apt-get update
 apt-get install openssl libssl1.0.0

For CentOS:

yum install openssl

You can create a new server.key & csr with the following command:

openssl req -nodes -newkey rsa:2048 -keyout 

When you've replaced the key & crt with new ones from Godaddy you should revoke the old certificate.

Hi Andre,

Thank you much for the quick answer, we are using Windows server 2008 R2 standerd and SP1. How does that affected and how can we comeout from this.

Hi Andre,

The application version is Apache Tomcat/6.0.32 - Servlet API 2.5.

Below is apache connector config

<Connector SSLEnabled="true" acceptCount="100" clientAuth="false" disableUploadTimeout="true" enableLookups="false"
keyAlias="tomcat" keystoreFile="C:\JIRA\.keystore" keystorePass="xxxxxxx" maxHttpHeaderSize="8192"
maxSpareThreads="75" maxThreads="150" minSpareThreads="25" port="443" protocol="org.apache.coyote.http11.Http11Protocol"
scheme="https" secure="true" sslProtocol="TLS" useBodyEncodingForURI="true"/>

You are fine, this configuration uses Java's own SSL implementation.

Thank you verymuch for the script, will run it on the Linux box and see if this is already affected.

Thanks again

Thanks much Vitaly for clarification.

We are using other Atlassian products as well, those are on intranet.

Hi Vitaly,

We are using Atlassian Confluence 5.1 with OpenSSL Version -

OpenSSL 1.0.0-fips 29 Mar 2010

We are using this application within our network (Intranet).

I have gone through many articles and some say by updating Linux box will update with OpenSSL Patch.

yum install update

I have gone through your blog which says Confluence uses it's own internal Apache server to start the application and thus doesn't have much effect on Atlassian application.

Can you please let me know your views on this. what if i proceed ahead ahead with patch how does that effec my Confluence.


Raise a support ticket at

Suggest an answer

Log in or Sign up to answer

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you