Vulnerability Open SSL Heartbleed Apache Tomcat JIRA

Is there any specific technical doc in JIRA and Confluence about configuring apache tomcat configuartion APR files? This relates to the OPEN SSL Heartblled issue. Some clients are asking about vulnerability at their sites. Is there any bulletin from Atlassian about the Tomcat/Apache Open SSL issue?

1 answer

1 accepted

1 vote
Accepted answer

Hi there,

Our findings have been published to this blog that outlines the issue context, please take some time to review the details here: http://blogs.atlassian.com/2014/04/openssl-cve-2014-0160-atlassian/

I hope this helps

Also, just a litlle clarification about the OpenSSL vulnerability inside APR and the tomcat shipped with Atlassian products to complement this answer.

This is the explanation from our security engineer:

While the Tomcat we ship does include native libraries, if you followed our instructions for setting up SSL (https://confluence.atlassian.com/display/JIRA/Running+JIRA+over+SSL+or+HTTPS, same for other products), you end up using Java's own implementation of SSL, which is not vulnerable.

In other words, if in conf/server.xml you see something along the lines of

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxHttpHeaderSize="8192" SSLEnabled="true"
maxThreads="150" minSpareThreads="25"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" useBodyEncodingForURI="true"/>

then Java SSL is used.

If for some reason you have (note the SSLCertificateFile and SSLCertificateKeyFile directives)

<Connector port="8443"
maxThreads="200"
scheme="https"
secure="true"
SSLEnabled="true"
SSLCertificateFile="${user.home}/certificate.pem"
SSLCertificateKeyFile="${user.home}/key.pem"
clientAuth="optional"
SSLProtocol="TLSv1"/>

then you are likely to be using vulnerable libraries. You can replace this configuration and switch to Java SSL by following instructions on the link above.

Also, you can access this site to check if your site is vulnerable.

Cheers

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Nov 27, 2018 in Portfolio for Jira

Introducing a new planning experience in Portfolio for Jira (Server/DC)

In the past, Portfolio for Jira required a high degree of detail–foresight that was unrealistic for many businesses to   have–in   order to produce a reliable long-term roadmap. We're tur...

2,910 views 19 22
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you