It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Jira Server and service desk Upgrade - Security advisories

Hi Team,

We are planning to upgrade Jira and Confluence. Started from lower instances and upgraded Jira servcer to 8.3.2. Before we moving to another instance, we received 2 security advisories. One for confluence and other one for Jira service desk server (most recent one). 

According to the recent security advisory for Jira service desk (released on 09/18/19),

For Jira service desk 4.3.x version -  fixed version is 4.3.4. So for the compatibility with Jira server, we again need to upgrade Jira server to 8.3.4 version. 

Any suggestions on which version we could upgrade?

Latest version was released on 09/16/19. Any issues, if we upgrade to the latest version? Can we upgrade Jira, immediately after the version released? In what time frame the latest version will be tested after release date?

Security Advisory:

How often we get the security advisories? Any particular time fame or based on the risks detected in the application?

Thanks.

Regards,

Niveditha

1 answer

1 accepted

0 votes
Answer accepted
Andy Heinzer Atlassian Team Sep 20, 2019

Hi Niveditha,

I understand you have some questions about upgrading Jira and some concerns about when and how often Atlassian publishes such security advisories.  I hope I can shed some light on these.

In regards to the security advisories:  It is both time based and severity level dependent.  For our Server products, we always release our security advisories on Wednesdays.  And these advisories are typically only published for critical severity level security vulnerabilities.  More details are in Security Advisory Publishing Policy.   In relation to this, you might also be interested in our Security Bug Fix Policy, which outlines how and when we fix security issues in our products.

In regards to upgrading Jira: You could either upgrade Jira to 8.3.4 or 8.4.1 in order to avoid this first vulnerability and both versions have compatible Service Desk versions you can upgrade to that also prevent the other vulnerability.

The only consideration in my mind as to which version to upgrade to comes down to what plugins (aka add-ons or apps) you are running with Jira.  It is important to determine if those plugins yet have a compatible version for the latest version of Jira 8.4.1.  If they do not, then you might be more compatible with your existing add-ons to go with the 8.3.4 version.  It is more likely if you had Jira up and running with your add-ons in 8.3.2, that these would most likely still have compatible versions available for 8.3.4 either in their current versions or updated plugins versions available in Marketplace.  

The UPM (Universal Plugin Manager) within products like Jira and Confluence has a really helpful feature for figuring this out.  Check out Checking app compatibility with application updates.  This feature can help you to determine if you have any plugins that are not yet updated in Marketplace for the versions you intend to upgrade to.

As for upgrading Jira from lower versions:  You should be find to do this in a single upgrade provided that your Jira is running on a 7.0.0 and Service Desk is on a 3.0.0 version before this upgrade.  If you happen to have a Jira 6.x and Service Desk 2.x or earlier versions, you would need to first upgrade these to a 7.0.x/3.0.x version of Jira/Service Desk before you could then upgrade to the latest versions.  This requirement is noted in Skipping major versions when upgrading JIRA applications.   The only other concern with upgrading Jira tends to be to make sure that when you upgrade your are on a supported platform.  These are documented in Jira Supported platforms, and you will notice that the top right corner of that page has a version dropdown that can be useful for determining which version of the document applies to which version of Jira you have.

I hope this helps to answer all your questions.  Please let us know if you have any follow up concerns here.

Andy

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted in Jira

Demo Den Ep. 7: New Jira Cloud Reports

Learn how to use two new reports for next-gen projects in Jira Cloud:  Cumulative flow diagram and Sprint burndown chart. Ivan Teong, Product Manager, Jira Software, demos the Cumulative ...

303 views 1 3
Join discussion

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you