Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Is Jira 7.x affected by CVE-2016-5582?

Jens Kisters __SeibertSolutions
Jens Kisters __SeibertSolutions
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 3, 2019

Hello,

i noticed this vulnerability warning

It reads

unspecified vulnerability in Oracle Java SE 6u121, 7u111, 8u102; and Java SE Embedded 8u101 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Hotspot, a different vulnerability than CVE-2016-5573.

 

So "Hotspot" is "the open-source Java VM implementation by Oracle".

Is that the JRE that ships with Jira? Or is this another JRE?

I am uncertain if this means there is an attack vector when running a Jira version that uses this Java version.

By the way: Is there a handy table somewhere on the internet listing which Jira version ships with which version of the JRE?

Thanks in advance

Jens

Answer
Watch
Like Be the first to like this
689 views

2 answers

0 votes
Daniel Eads
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 4, 2019

Hey @Jens Kisters __SeibertSolutions,

The Hotspot version does come bundled with the installer.

Unfortunately we do not maintain a list of which JRE versions were bundled with which version of Jira. There's also the chance that Jira was installed without using the .bin/.exe installers (the .tar.gz does not include a JRE) or that the JAVA_HOME has been modified to use the system Java. Because of that, I wouldn't want to say straightaway "Jira 7.__ is ok" since you won't know for sure that the bundled JRE is in use without looking.

The safest advice is to check the System Info page for each instance you're concerned about and check the Java Version string.

 

All that being said, I checked these versions manually:

  • Jira 7.1.0 bundled with 8u51
  • Jira 7.2.0 bundled with 8u102
  • Jira 7.3.0 bundled with 8u102
  • Jira 7.4.0 bundled with 8u102
  • Jira 7.5.0 bundled with 8u102
  • Jira 7.6.0 bundled with 8u102 -> 7.6.11 bundled with 8u181
  • Jira 7.7.0 bundled with 8u102 -> 7.7.4 bundled with 8u102
  • Jira 7.8.0 bundled with 8u102
  • Jira 7.9.0 bundled with 8u102
  • Jira 7.10.0 bundled with 8u102
  • Jira 7.11.0 bundled with 8u102 -> Jira 7.11.2 bundled with 8u102
  • Jira 7.12.0 bundled with 8u102 -> 7.12.3 bundled with 8u181
  • Jira 7.13.0 bundled with 8u181

So if you're not running 7.6.11, 7.12.3, or 7.13/above, you're likely on u102 (again - check the System Info page to confirm).

I don't know the specifics of how that attack vector might be utilized, but it does sound like this is an ideal time to look at a bugfix or version upgrade for many environments.

Cheers,
Daniel

Reply
0 votes
Gonchik Tsymzhitov
Gonchik Tsymzhitov
Community Champion
February 4, 2019

Hi! 

 

I suggest you read this one and update your system

https://community.atlassian.com/t5/Jira-discussions/Java-11-and-OpenJDK-support-for-Atlassian-Server-amp-Data-Center/td-p/872998

 

Supported platforms:

https://confluence.atlassian.com/adminjiraserver/supported-platforms-938846830.html

 

 

Cheers,

Gonchik Tsymzhitov

View More Comments
Jens Kisters __SeibertSolutions
Jens Kisters __SeibertSolutions
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 4, 2019

Hi Gonchik,

thanks for your reply, but i fail to see how this answers my question.

I am aware of the path to migrate away from Oracle JDK, but i want to know if the vulnarability affects our systems if we dont walk that path yet.

Cheers

Jens

Like
Gonchik Tsymzhitov
Gonchik Tsymzhitov
Community Champion
February 4, 2019

Hi! 

 

Let's check when was delivered the 8u102, 

https://www.oracle.com/technetwork/java/javase/8u102-relnotes-3021767.html

 

update JDK for one system it can be done in 2 min with 2-3 min downtime of this node. Of course, if you are using Jira DC, it is not your issue.

https://www.oracle.com/technetwork/java/javase/8u-relnotes-2225394.html

 

Cheers,

Gonchik

Like
Jens Kisters __SeibertSolutions
Jens Kisters __SeibertSolutions
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 4, 2019

Hi Gonchik,

my interpretation of your response is:

"just update the JRE, its not a big deal" 

Is that correct?

I am currently trying to decide if i have to, because we are talking about a large number of server instances and before managing downtimes with a lot of clients i'd like to know if the vulnerability does affect our jira systems.

Plus i am not sure we are elegible to upgrade without paying oracle for it.

kind regards

Jens

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.