Is there any specific technical doc in JIRA and Confluence about configuring apache tomcat configuartion APR files? This relates to the OPEN SSL Heartblled issue. Some clients are asking about vulnerability at their sites. Is there any bulletin from Atlassian about the Tomcat/Apache Open SSL issue?
Our findings have been published to this blog that outlines the issue context, please take some time to review the details here: http://blogs.atlassian.com/2014/04/openssl-cve-2014-0160-atlassian/
I hope this helps
Also, just a litlle clarification about the OpenSSL vulnerability inside APR and the tomcat shipped with Atlassian products to complement this answer.
This is the explanation from our security engineer:
While the Tomcat we ship does include native libraries, if you followed our instructions for setting up SSL (https://confluence.atlassian.com/display/JIRA/Running+JIRA+over+SSL+or+HTTPS, same for other products), you end up using Java's own implementation of SSL, which is not vulnerable.
In other words, if in
conf/server.xmlyou see something along the lines of
then Java SSL is used.
If for some reason you have (note the
then you are likely to be using vulnerable libraries. You can replace this configuration and switch to Java SSL by following instructions on the link above.
Also, you can access this site to check if your site is vulnerable.
In the past, Portfolio for Jira required a high degree of detail–foresight that was unrealistic for many businesses to have–in order to produce a reliable long-term roadmap. We're tur...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs