Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

how does jira on premise server run plugins?

Yaniv K
Yaniv K January 19, 2021

Hello dear community,

We're trying to create a security policy regarding the installation of plugins from the marketplace on jira on-premise server.

1. Can someone confirm my assumtion that plugins run within the jvm on the server?

2. What about updates, can any author issue an update to their plugin and it will auto update on my server? or is it an elective process?

3. Does anyone knows if any malicious plugin incidents?

4. Does anyone knows if plugins where ever used as an attack vector?


Thanks in advance, community!

Answer
Watch
Like Be the first to like this
579 views

2 answers

1 accepted

0 votes
Answer accepted
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
January 19, 2021
  1. It's more complex than that - Jira provides a framework for apps to work on, but in turn, Jira is running inside an application server (Tomcat) which in itself is then running inside the JVM.  Not all apps run inside Jira, some run separately to it (but you'll spot these when you read the installation instructions for them, as they won't be just "click to add/upgrade")
  2. It's your server, your app, your choice when to upgrade.  Authors cannot push
  3. Yes.  You can get a lot of protection from the simple rule of "only install from the marketplace" - a couple of malicious ones have snuck through in the past, but it's rare and been quickly spotted.  Installing from other sources - don't.  Only use stuff:
    1. that's from marketplace
    2. debug versions of marketplace apps direct from vendors
    3. apps you've written internally and hence are in control of all the security
  4. Yes, security holes have been found and exploited in marketplace apps.  Again, it's rare, and been quickly fixed.
View More Comments
Yaniv K
Yaniv K January 19, 2021

Thank you for your detailed reply

Like
Reply
0 votes
Pedro Felgueiras
Pedro Felgueiras
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 19, 2021

Very interesting question @Yaniv K 

 

As far as I know 

1 - Yes, they run inside the JVM on the server

2 - You have to chose to upgrade the plugin 

3 - the plugins go throw an evaluation from Atlassian. it could happen but i think that hadn't happen. 

4 - You have to understand that some base functionalities are provided by plugins, made from Atlassian. I can remember that it happened on Confluence, but I'm sure it can happen on Jira. 

View More Comments
Yaniv K
Yaniv K January 19, 2021

Thank you for your reply!

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events