Is there any specific technical doc in JIRA and Confluence about configuring apache tomcat configuartion APR files? This relates to the OPEN SSL Heartblled issue. Some clients are asking about vulnerability at their sites. Is there any bulletin from Atlassian about the Tomcat/Apache Open SSL issue?
Our findings have been published to this blog that outlines the issue context, please take some time to review the details here: http://blogs.atlassian.com/2014/04/openssl-cve-2014-0160-atlassian/
I hope this helps
Also, just a litlle clarification about the OpenSSL vulnerability inside APR and the tomcat shipped with Atlassian products to complement this answer.
This is the explanation from our security engineer:
While the Tomcat we ship does include native libraries, if you followed our instructions for setting up SSL (https://confluence.atlassian.com/display/JIRA/Running+JIRA+over+SSL+or+HTTPS, same for other products), you end up using Java's own implementation of SSL, which is not vulnerable.
In other words, if in
conf/server.xmlyou see something along the lines of
then Java SSL is used.
If for some reason you have (note the
then you are likely to be using vulnerable libraries. You can replace this configuration and switch to Java SSL by following instructions on the link above.
Also, you can access this site to check if your site is vulnerable.
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG