Heartbleed: Serious OpenSSL vulnerability

Jijo John April 8, 2014

How does this OpenSSL vulnerability affect JIRA

We are using JIRA v4.3.4#620-r152668) and with SSL - goDaddy CA.

https://www.openssl.org/news/secadv_20140407.txt

http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability-revealed-7000028166/

8 answers

1 accepted

2 votes
Answer accepted
Andre van der Elst April 8, 2014

Hi Jijo,

it *could* be affected, see: https://issues.apache.org/bugzilla/show_bug.cgi?id=56363

It depends on if you're running Apache-Native or not, I always have a webserver in front of Tomcat for ssl connections so I'm not entirely sure about your tomcat instance.

If you have access to a linux box (or a Mac) you can install this script and test for yourself: https://gist.github.com/sh1n0b1/10100394

1 vote
VitalyA April 10, 2014

Note: this comment applies only to standalone distributions, the ones that come with a built in web server.

If you have followed our instructions on configuring SSL in any product (for example,https://confluence.atlassian.com/display/STASH/Securing+Stash+with+Tomcat+using+SSL), you are not using Tomcat’s APR and “native” OpenSSL libraries, but Java’s own implementation in javax.net.ssl. Java SSL does not even support hearbeats.

If you scroll down that page, you will see that the config for APR OpenSSL is different. It includes directives such as SSLCertificateFile and SSLCertificateKeyFile.

Moreover, Fisheye & Crucible installs Jetty instead of Tomcat. Jetty uses javax.net.ssl too.

If you have installed a WAR distribution, then we are not handling SSL and the app container might be using host’s libraries. Again, if you configured the server not to use APR, you’re fine.

See also http://blogs.atlassian.com/2014/04/openssl-cve-2014-0160-atlassian/.

1 vote
Andre van der Elst April 8, 2014

It depends on the webserver you're using. If you're using IIS your not affected for once. If you're using Apache on Windows you may be affected. I'm not sure what ssl library Apache on Windows uses.

If you're brave you can past the url to your Jira instance here to find out if you're vulnerable or not: http://filippo.io/Heartbleed/

0 votes
Jijo John April 13, 2014

Thanks much Vitaly for clarification.

We are using other Atlassian products as well, those are on intranet.

AKASH BHARDWAJ April 15, 2014

Hi Vitaly,

We are using Atlassian Confluence 5.1 with OpenSSL Version -

OpenSSL 1.0.0-fips 29 Mar 2010

We are using this application within our network (Intranet).

I have gone through many articles and some say by updating Linux box will update with OpenSSL Patch.

yum install update

I have gone through your blog which says Confluence uses it's own internal Apache server to start the application and thus doesn't have much effect on Atlassian application.

Can you please let me know your views on this. what if i proceed ahead ahead with patch how does that effec my Confluence.

VitalyA April 21, 2014

Akash,

Raise a support ticket at http://support.atlassian.com.

0 votes
Jijo John April 8, 2014

Thank you verymuch for the script, will run it on the Linux box and see if this is already affected.

Thanks again

0 votes
Jijo John April 8, 2014

Hi Andre,

The application version is Apache Tomcat/6.0.32 - Servlet API 2.5.

Below is apache connector config

<Connector SSLEnabled="true" acceptCount="100" clientAuth="false" disableUploadTimeout="true" enableLookups="false"
keyAlias="tomcat" keystoreFile="C:\JIRA\.keystore" keystorePass="xxxxxxx" maxHttpHeaderSize="8192"
maxSpareThreads="75" maxThreads="150" minSpareThreads="25" port="443" protocol="org.apache.coyote.http11.Http11Protocol"
scheme="https" secure="true" sslProtocol="TLS" useBodyEncodingForURI="true"/>

VitalyA April 10, 2014

You are fine, this configuration uses Java's own SSL implementation.

0 votes
Jijo John April 8, 2014

Hi Andre,

Thank you much for the quick answer, we are using Windows server 2008 R2 standerd and SP1. How does that affected and how can we comeout from this.

0 votes
Andre van der Elst April 8, 2014

Hi Jijo,

if you're using one of the affected distributions you should upgrade at least openssl/libopenssl, restart apache, change your passwords, create a new server.key & server.csr and rekey the certificate (afaik this is without costs at Godaddy).

Ubuntu 10.x is not affected, Ubuntu 12.04 LTS is affected. Centos6/RHEL6 is also affected.

For Ubuntu you can upgrade just openssl with the following commands:

apt-get update
 apt-get install openssl libssl1.0.0

For CentOS:

yum install openssl

You can create a new server.key & csr with the following command:

openssl req -nodes -newkey rsa:2048 -keyout www.servername.com.key 
-out www.servername.com.csr

When you've replaced the key & crt with new ones from Godaddy you should revoke the old certificate.

Suggest an answer

Log in or Sign up to answer