Note: this comment applies only to standalone distributions, the ones that come with a built in web server.

If you have followed our instructions on configuring SSL in any product (for example,https://confluence.atlassian.com/display/STASH/Securing+Stash+with+Tomcat+using+SSL), you are not using Tomcat’s APR and “native” OpenSSL libraries, but Java’s own implementation in javax.net.ssl. Java SSL does not even support hearbeats.

If you scroll down that page, you will see that the config for APR OpenSSL is different. It includes directives such as SSLCertificateFile and SSLCertificateKeyFile.

Moreover, Fisheye & Crucible installs Jetty instead of Tomcat. Jetty uses javax.net.ssl too.

If you have installed a WAR distribution, then we are not handling SSL and the app container might be using host’s libraries. Again, if you configured the server not to use APR, you’re fine.

See also http://blogs.atlassian.com/2014/04/openssl-cve-2014-0160-atlassian/.

It depends on the webserver you're using. If you're using IIS your not affected for once. If you're using Apache on Windows you may be affected. I'm not sure what ssl library Apache on Windows uses.

If you're brave you can past the url to your Jira instance here to find out if you're vulnerable or not: http://filippo.io/Heartbleed/

Thanks much Vitaly for clarification.

We are using other Atlassian products as well, those are on intranet.

Thank you verymuch for the script, will run it on the Linux box and see if this is already affected.

Thanks again

Hi Andre,

The application version is Apache Tomcat/6.0.32 - Servlet API 2.5.

Below is apache connector config

<Connector SSLEnabled="true" acceptCount="100" clientAuth="false" disableUploadTimeout="true" enableLookups="false"
keyAlias="tomcat" keystoreFile="C:\JIRA\.keystore" keystorePass="xxxxxxx" maxHttpHeaderSize="8192"
maxSpareThreads="75" maxThreads="150" minSpareThreads="25" port="443" protocol="org.apache.coyote.http11.Http11Protocol"
scheme="https" secure="true" sslProtocol="TLS" useBodyEncodingForURI="true"/>

Hi Andre,

Thank you much for the quick answer, we are using Windows server 2008 R2 standerd and SP1. How does that affected and how can we comeout from this.

Hi Jijo,

if you're using one of the affected distributions you should upgrade at least openssl/libopenssl, restart apache, change your passwords, create a new server.key & server.csr and rekey the certificate (afaik this is without costs at Godaddy).

Ubuntu 10.x is not affected, Ubuntu 12.04 LTS is affected. Centos6/RHEL6 is also affected.

For Ubuntu you can upgrade just openssl with the following commands:

apt-get update
 apt-get install openssl libssl1.0.0

For CentOS:

yum install openssl

You can create a new server.key & csr with the following command:

openssl req -nodes -newkey rsa:2048 -keyout www.servername.com.key 
-out www.servername.com.csr

When you've replaced the key & crt with new ones from Godaddy you should revoke the old certificate.