Hi All,
Currently we are using JIRA 3.13. This version has many vulnerabilities like XSS,CSRF,XFS, Improper session management,No strong password policy, No account lockout feature etc.,
Could anyone please let me know which JIRA version eliminates all these vulnerabilities and the steps required for migration.
Regards
Kavitha Sama
Basically, the security advice is usually "use the latest version". At the very least, you need to be on 5.1 or above to avoid a lot of the problems. Read https://confluence.atlassian.com/display/JIRA/Upgrading+JIRAand then I'd highly recommend reading every minor release note thereafter - 4.0, 4.1, 4.2 etc (don't worry too much about the point releases)
The password/lockout stuff can be fixed by using external user management :-) BUT, you'll need to do that in any version :-(
Thanks Nic Brough for clarifying the query and sharing valuable information. This link helps me how to proceed with upgrading JIRA.I need small calrification on the upgrading process.
While upgrading.. will all the customized workflows in current JIRA will be copied to the New JIRA with the restore process of backup XML of old JIRA or do we need to recreate the workflows in the new JIRA.
Kavitha Sama
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
The database contains everything - the only things that live outside the database are code changes, some small bits of configuration you can't do inside the application and your attachments. A slightly different way to think of it - if you can change it in the UI, it'll be upgraded.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Have installed the latest JIRA version 6.1.7 and observed that CSRF and XSS vulnerabilities are closed but still there are few vulnerabilities observed like cross frame scripting(XFS) attack, vulnerable to input validation,SQL Injection and was recommended to enforce strong input validation and output encoding throughout the application but the product allows all special characters including the black listed characters. Please suggest how to fix this?
Also how to restrict to upload only specific file type as this product allows all file types to upload .ie. any exe/ double extension files (.bat.jpeg, .html, .dll, etc.) with malicious content.Please suggest.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Have a look at the security advisories which informs us which vulnerabilities were resolved in which versions.
https://confluence.atlassian.com/display/JIRA/Security+Advisories
Rahul
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.