Heartbleed: Serious OpenSSL vulnerability

How does this OpenSSL vulnerability affect JIRA

We are using JIRA v4.3.4#620-r152668) and with SSL - goDaddy CA.

https://www.openssl.org/news/secadv_20140407.txt

http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability-revealed-7000028166/

8 answers

1 accepted

Hi Jijo,

it *could* be affected, see: https://issues.apache.org/bugzilla/show_bug.cgi?id=56363

It depends on if you're running Apache-Native or not, I always have a webserver in front of Tomcat for ssl connections so I'm not entirely sure about your tomcat instance.

If you have access to a linux box (or a Mac) you can install this script and test for yourself: https://gist.github.com/sh1n0b1/10100394

It depends on the webserver you're using. If you're using IIS your not affected for once. If you're using Apache on Windows you may be affected. I'm not sure what ssl library Apache on Windows uses.

If you're brave you can past the url to your Jira instance here to find out if you're vulnerable or not: http://filippo.io/Heartbleed/

Note: this comment applies only to standalone distributions, the ones that come with a built in web server.

If you have followed our instructions on configuring SSL in any product (for example,https://confluence.atlassian.com/display/STASH/Securing+Stash+with+Tomcat+using+SSL), you are not using Tomcat’s APR and “native” OpenSSL libraries, but Java’s own implementation in javax.net.ssl. Java SSL does not even support hearbeats.

If you scroll down that page, you will see that the config for APR OpenSSL is different. It includes directives such as SSLCertificateFile and SSLCertificateKeyFile.

Moreover, Fisheye & Crucible installs Jetty instead of Tomcat. Jetty uses javax.net.ssl too.

If you have installed a WAR distribution, then we are not handling SSL and the app container might be using host’s libraries. Again, if you configured the server not to use APR, you’re fine.

See also http://blogs.atlassian.com/2014/04/openssl-cve-2014-0160-atlassian/.

Hi Jijo,

if you're using one of the affected distributions you should upgrade at least openssl/libopenssl, restart apache, change your passwords, create a new server.key & server.csr and rekey the certificate (afaik this is without costs at Godaddy).

Ubuntu 10.x is not affected, Ubuntu 12.04 LTS is affected. Centos6/RHEL6 is also affected.

For Ubuntu you can upgrade just openssl with the following commands:

apt-get update
 apt-get install openssl libssl1.0.0

For CentOS:

yum install openssl

You can create a new server.key & csr with the following command:

openssl req -nodes -newkey rsa:2048 -keyout www.servername.com.key 
-out www.servername.com.csr

When you've replaced the key & crt with new ones from Godaddy you should revoke the old certificate.

Hi Andre,

Thank you much for the quick answer, we are using Windows server 2008 R2 standerd and SP1. How does that affected and how can we comeout from this.

Hi Andre,

The application version is Apache Tomcat/6.0.32 - Servlet API 2.5.

Below is apache connector config

<Connector SSLEnabled="true" acceptCount="100" clientAuth="false" disableUploadTimeout="true" enableLookups="false"
keyAlias="tomcat" keystoreFile="C:\JIRA\.keystore" keystorePass="xxxxxxx" maxHttpHeaderSize="8192"
maxSpareThreads="75" maxThreads="150" minSpareThreads="25" port="443" protocol="org.apache.coyote.http11.Http11Protocol"
scheme="https" secure="true" sslProtocol="TLS" useBodyEncodingForURI="true"/>

You are fine, this configuration uses Java's own SSL implementation.

Thank you verymuch for the script, will run it on the Linux box and see if this is already affected.

Thanks again

Thanks much Vitaly for clarification.

We are using other Atlassian products as well, those are on intranet.

Hi Vitaly,

We are using Atlassian Confluence 5.1 with OpenSSL Version -

OpenSSL 1.0.0-fips 29 Mar 2010

We are using this application within our network (Intranet).

I have gone through many articles and some say by updating Linux box will update with OpenSSL Patch.

yum install update

I have gone through your blog which says Confluence uses it's own internal Apache server to start the application and thus doesn't have much effect on Atlassian application.

Can you please let me know your views on this. what if i proceed ahead ahead with patch how does that effec my Confluence.

Suggest an answer

Log in or Join to answer

Stay in touch

Be the first to know what's trending on Atlassian Community