Vulnerability Open SSL Heartbleed Apache Tomcat JIRA

KP11
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
April 9, 2014

Is there any specific technical doc in JIRA and Confluence about configuring apache tomcat configuartion APR files? This relates to the OPEN SSL Heartblled issue. Some clients are asking about vulnerability at their sites. Is there any bulletin from Atlassian about the Tomcat/Apache Open SSL issue?

1 answer

1 accepted

1 vote
Answer accepted
Matheus Fernandes
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 9, 2014

Hi there,

Our findings have been published to this blog that outlines the issue context, please take some time to review the details here: http://blogs.atlassian.com/2014/04/openssl-cve-2014-0160-atlassian/

I hope this helps

Tiago Comasseto
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
April 9, 2014

Also, just a litlle clarification about the OpenSSL vulnerability inside APR and the tomcat shipped with Atlassian products to complement this answer.

This is the explanation from our security engineer:

While the Tomcat we ship does include native libraries, if you followed our instructions for setting up SSL (https://confluence.atlassian.com/display/JIRA/Running+JIRA+over+SSL+or+HTTPS, same for other products), you end up using Java's own implementation of SSL, which is not vulnerable.

In other words, if in conf/server.xml you see something along the lines of

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxHttpHeaderSize="8192" SSLEnabled="true"
maxThreads="150" minSpareThreads="25"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" useBodyEncodingForURI="true"/>

then Java SSL is used.

If for some reason you have (note the SSLCertificateFile and SSLCertificateKeyFile directives)

<Connector port="8443"
maxThreads="200"
scheme="https"
secure="true"
SSLEnabled="true"
SSLCertificateFile="${user.home}/certificate.pem"
SSLCertificateKeyFile="${user.home}/key.pem"
clientAuth="optional"
SSLProtocol="TLSv1"/>

then you are likely to be using vulnerable libraries. You can replace this configuration and switch to Java SSL by following instructions on the link above.

Also, you can access this site to check if your site is vulnerable.

Cheers

Suggest an answer

Log in or Sign up to answer