How does this OpenSSL vulnerability affect JIRA
We are using JIRA v4.3.4#620-r152668) and with SSL - goDaddy CA.
it *could* be affected, see: https://issues.apache.org/bugzilla/show_bug.cgi?id=56363
It depends on if you're running Apache-Native or not, I always have a webserver in front of Tomcat for ssl connections so I'm not entirely sure about your tomcat instance.
If you have access to a linux box (or a Mac) you can install this script and test for yourself: https://gist.github.com/sh1n0b1/10100394
It depends on the webserver you're using. If you're using IIS your not affected for once. If you're using Apache on Windows you may be affected. I'm not sure what ssl library Apache on Windows uses.
If you're brave you can past the url to your Jira instance here to find out if you're vulnerable or not: http://filippo.io/Heartbleed/
Note: this comment applies only to standalone distributions, the ones that come with a built in web server.
If you have followed our instructions on configuring SSL in any product (for example,https://confluence.atlassian.com/display/STASH/Securing+Stash+with+Tomcat+using+SSL), you are not using Tomcat’s APR and “native” OpenSSL libraries, but Java’s own implementation in javax.net.ssl. Java SSL does not even support hearbeats.
If you scroll down that page, you will see that the config for APR OpenSSL is different. It includes directives such as SSLCertificateFile and SSLCertificateKeyFile.
Moreover, Fisheye & Crucible installs Jetty instead of Tomcat. Jetty uses javax.net.ssl too.
If you have installed a WAR distribution, then we are not handling SSL and the app container might be using host’s libraries. Again, if you configured the server not to use APR, you’re fine.
if you're using one of the affected distributions you should upgrade at least openssl/libopenssl, restart apache, change your passwords, create a new server.key & server.csr and rekey the certificate (afaik this is without costs at Godaddy).
Ubuntu 10.x is not affected, Ubuntu 12.04 LTS is affected. Centos6/RHEL6 is also affected.
For Ubuntu you can upgrade just openssl with the following commands:
apt-get update apt-get install openssl libssl1.0.0
yum install openssl
You can create a new server.key & csr with the following command:
openssl req -nodes -newkey rsa:2048 -keyout www.servername.com.key -out www.servername.com.csr
When you've replaced the key & crt with new ones from Godaddy you should revoke the old certificate.
The application version is Apache Tomcat/6.0.32 - Servlet API 2.5.
Below is apache connector config
<Connector SSLEnabled="true" acceptCount="100" clientAuth="false" disableUploadTimeout="true" enableLookups="false"
keyAlias="tomcat" keystoreFile="C:\JIRA\.keystore" keystorePass="xxxxxxx" maxHttpHeaderSize="8192"
maxSpareThreads="75" maxThreads="150" minSpareThreads="25" port="443" protocol="org.apache.coyote.http11.Http11Protocol"
scheme="https" secure="true" sslProtocol="TLS" useBodyEncodingForURI="true"/>
We are using Atlassian Confluence 5.1 with OpenSSL Version -
OpenSSL 1.0.0-fips 29 Mar 2010
We are using this application within our network (Intranet).
I have gone through many articles and some say by updating Linux box will update with OpenSSL Patch.
yum install update
I have gone through your blog which says Confluence uses it's own internal Apache server to start the application and thus doesn't have much effect on Atlassian application.
Can you please let me know your views on this. what if i proceed ahead ahead with patch how does that effec my Confluence.