Forums

Articles
Create
cancel
Showing results for 
Search instead for 
Did you mean: 

CVE-2019-12418 unpatched on 8.5 long term support after many months?

M. Scott Vintinner September 4, 2020

I've been asked by the security team to update Jira to remediate a security issue with our on-prem install of Jira Software:

CVE-2019-12418  Apache Tomcat 8.5.0 < 8.5.49 Privilege Escalation (132413)

We are running the Long Term Support/Enterprise version 8.5.4 which runs Apache 8.5.42, and is affected by this issue. 

I found this issue on the roadmap here: https://jira.atlassian.com/browse/JRASERVER-71321

and it appears that the plan is to only provide a fix in newer (non-enterprise) versions of Jira (8.12+).  If I'm missing something, please let me know.

 

I'm trying to understand why the Long Term Support version isn't being long term supported with regard to this issue. 

Any help would be appreciated

 

 

1 answer

0 votes
Carlos Garcia Navarro
Community Champion
September 4, 2020

Hi @M. Scott Vintinner ,

I was reading the documentation on long term support releases and I understand the expectation to address this security issue. I'm not sure if when the documentation refers to bug fixes, it also includes this issue with Apache Tomcat (maybe they refer to bugs in Atlassian products), but it's worth asking Atlassian Support: https://support.atlassian.com/contact/#/

You can also comment on the ticket (https://jira.atlassian.com/browse/JRASERVER-71321), but I'd contact Support anyway. There are members from the Atlassian Team in this forum, they may also comment here.

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
SERVER
VERSION
8.5.4
TAGS
AUG Leaders

Atlassian Community Events