Vulnerability Open SSL Heartbleed Apache Tomcat JIRA

Is there any specific technical doc in JIRA and Confluence about configuring apache tomcat configuartion APR files? This relates to the OPEN SSL Heartblled issue. Some clients are asking about vulnerability at their sites. Is there any bulletin from Atlassian about the Tomcat/Apache Open SSL issue?

1 answer

1 accepted

1 votes

Hi there,

Our findings have been published to this blog that outlines the issue context, please take some time to review the details here: http://blogs.atlassian.com/2014/04/openssl-cve-2014-0160-atlassian/

I hope this helps

Also, just a litlle clarification about the OpenSSL vulnerability inside APR and the tomcat shipped with Atlassian products to complement this answer.

This is the explanation from our security engineer:

While the Tomcat we ship does include native libraries, if you followed our instructions for setting up SSL (https://confluence.atlassian.com/display/JIRA/Running+JIRA+over+SSL+or+HTTPS, same for other products), you end up using Java's own implementation of SSL, which is not vulnerable.

In other words, if in conf/server.xml you see something along the lines of

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxHttpHeaderSize="8192" SSLEnabled="true"
maxThreads="150" minSpareThreads="25"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" useBodyEncodingForURI="true"/>

then Java SSL is used.

If for some reason you have (note the SSLCertificateFile and SSLCertificateKeyFile directives)

<Connector port="8443"
maxThreads="200"
scheme="https"
secure="true"
SSLEnabled="true"
SSLCertificateFile="${user.home}/certificate.pem"
SSLCertificateKeyFile="${user.home}/key.pem"
clientAuth="optional"
SSLProtocol="TLSv1"/>

then you are likely to be using vulnerable libraries. You can replace this configuration and switch to Java SSL by following instructions on the link above.

Also, you can access this site to check if your site is vulnerable.

Cheers

Suggest an answer

Log in or Join to answer
Community showcase
Sarah Schuster
Posted Jan 29, 2018 in Jira

What are common themes you've seen across successful & failed Jira Software implementations?

Hey everyone! My name is Sarah Schuster, and I'm a Customer Success Manager in Atlassian specializing in Jira Software Cloud. Over the next few weeks I will be posting discussion topics (8 total) to ...

2,755 views 11 18
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot