Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Which JIRA version closes CSRF,XSS attacks

kavitha sama
kavitha sama February 24, 2014

Hi All,

Currently we are using JIRA 3.13. This version has many vulnerabilities like XSS,CSRF,XFS, Improper session management,No strong password policy, No account lockout feature etc.,

Could anyone please let me know which JIRA version eliminates all these vulnerabilities and the steps required for migration.

Regards

Kavitha Sama

Answer
Watch
Like Be the first to like this
746 views

3 answers

1 accepted

0 votes
Answer accepted
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
February 24, 2014

Basically, the security advice is usually "use the latest version". At the very least, you need to be on 5.1 or above to avoid a lot of the problems. Read https://confluence.atlassian.com/display/JIRA/Upgrading+JIRAand then I'd highly recommend reading every minor release note thereafter - 4.0, 4.1, 4.2 etc (don't worry too much about the point releases)

The password/lockout stuff can be fixed by using external user management :-) BUT, you'll need to do that in any version :-(

View More Comments
kavitha sama
kavitha sama February 25, 2014

Thanks Nic Brough for clarifying the query and sharing valuable information. This link helps me how to proceed with upgrading JIRA.I need small calrification on the upgrading process.

While upgrading.. will all the customized workflows in current JIRA will be copied to the New JIRA with the restore process of backup XML of old JIRA or do we need to recreate the workflows in the new JIRA.

Kavitha Sama

Like
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
February 25, 2014

The database contains everything - the only things that live outside the database are code changes, some small bits of configuration you can't do inside the application and your attachments. A slightly different way to think of it - if you can change it in the UI, it'll be upgraded.

Like
Reply
0 votes
kavitha sama
kavitha sama October 21, 2014

Have installed the latest JIRA version 6.1.7  and observed that CSRF and XSS vulnerabilities are closed but still there are few vulnerabilities observed  like cross frame scripting(XFS) attack,  vulnerable to input validation,SQL Injection and was recommended to enforce strong input validation and output encoding throughout the application but the product allows all special characters including the black listed characters. Please suggest how to fix this?

Also how to restrict to upload only specific file type as this product allows all file types to upload .ie. any exe/ double extension files (.bat.jpeg, .html, .dll, etc.) with malicious content.Please suggest.

 

Reply
0 votes
Rahul Aich [Nagra]
Rahul Aich [Nagra]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 24, 2014

Have a look at the security advisories which informs us which vulnerabilities were resolved in which versions.

https://confluence.atlassian.com/display/JIRA/Security+Advisories

Rahul

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events