It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Heartbleed on Jira 5.2

Would like to check whether does the Heartbleed affect Jira 5.2? Any documents to state whether if affect or not as i need to report to my IT side?It affects, what will be the remedy steps to fix it? If i need to check the OpenSSL version installed on Jira, what would be the steps to check? thks

2 answers

0 votes
Pedro Souza Atlassian Team Apr 20, 2014

Hi,

The Heartbleed has been confirmed, after investigations, to be an infrastructure issue. Our findings have been published to this blog that outlines the issue context, please take some time to review the details here: http://blogs.atlassian.com/2014/04/openssl-cve-2014-0160-atlassian/

To find out whether you are affected or not, please check the version of OpenSSL that is running on your server. OpenSSL 1.0.1 or 1.0.2 releases may be affected. The entirety of OpenSSLs statement regarding this matter can be accessed after this link: https://www.openssl.org/news/secadv_20140407.txt.

If you have followed our instructions on configuring SSL in any product (for example, https://confluence.atlassian.com/display/STASH/Securing+Stash+with+Tomcat+using+SSL), you are not using Tomcat’s APR and “native” OpenSSL libraries, but Java’s own implementation in javax.net.ssl.

Java SSL does not even support hearbeats.

If you scroll down that page, you will see that the config for APR OpenSSL is different. It includes directives such as SSLCertificateFile and SSLCertificateKeyFile.

If you have installed a WAR distribution, then we are not handling SSL and the app container might be using host’s libraries. ****Again, if you configured the server not to use APR, you’re fine***

Cheers,

Pedro Souza.

just upgrade it or you  can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
 

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Next-gen

Keyboard shortcuts have arrived for next-gen projects!

...ollected feedback from users around the lack of shortcuts, and we’re here to address that: In next-gen projects, I miss the keyboard shortcuts badly. This is particularly true on the Board, but also i...

278 views 2 5
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you