Hello Thomas,

 Thank you very much for your reply. I've tried the same and restarted the instance, but I'm still able to hit this page:  https://jira.dev.****.com/secure/admin/SendBulkMail!default.jspa

 I thought the expected outcome should be, we shouldn't be able to hit this page which mitigates the security issue, Am I correct? 

I really appreciate your help!

Thank you.

Dear @Abhinav Arae ,

you commented both answers with the same comment, that it doesn't work. So why is the first answer accepted, when it didn't help? What do I miss?

Thomas

Sorry, I unaccepted it now. Could you please help me fix this? I wonder if I'm adding the context path at the wrong location in server.xml file.

Can you paste your server.xml with out un-commented lines, please?

<?xml version="1.0" encoding="utf-8"?>

<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<!-- Security listener. Documentation at /docs/config/listeners.html
<Listener className="org.apache.catalina.security.SecurityListener" />
-->
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />

<Service name="Catalina">

<Connector port="9000"
scheme="https"
proxyName=""
proxyPort=""
secure="true"

maxThreads="150"
minSpareThreads="25"
connectionTimeout="20000"

enableLookups="false"
maxHttpHeaderSize="8192"
protocol="HTTP/1.1"
useBodyEncodingForURI="true"
redirectPort="8443"
acceptCount="100"
disableUploadTimeout="true"
bindOnInit="false"/>

<Engine name="Catalina" defaultHost="localhost">
<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true">

<Context path="" docBase="${catalina.home}/atlassian-jira" reloadable="false" useHttpOnly="true">

<Resource name="UserTransaction" auth="Container" type="javax.transaction.UserTransaction"
factory="org.objectweb.jotm.UserTransactionFactory" jotm.timeout="60"/>
<Manager pathname=""/>
<JarScanner scanManifest="false"/>
</Context>

<!-- Jira security remediation fix - -7/15/2019 -->

<Context path="https://jira.dev.****.com/secure/admin/SendBulkMail!default.jspa" docBase="" >
<Valapp className="org.apache.catalina.valapps.RemoteAddrValapp" deny="*" />
</Context>
</Host>

<Valve className="org.apache.catalina.valves.AccessLogValve"
pattern="%a %{jira.request.id}r %{jira.request.username}r %t &quot;%m %U%q %H&quot; %s %b %D &quot;%{Referer}i
&quot; &quot;%{User-Agent}i&quot; &quot;%{jira.request.assession.id}r&quot;"/>

Above is the server.xml, I'm using where I've placed new context path under Engine. Once I try to restart Jira, Jira wouldn't start and I tried un commenting the new context path, Jira works fine.

<Context path="https://jira.dev.****.com/secure/admin/SendBulkMail!default.jspa" docBase="" >
   <Valapp className="org.apache.catalina.valapps.RemoteAddrValapp" deny="*" />
</Context>

use instead:

<Context path="/secure/admin/SendBulkMail!default.jspa" docBase="" >
   <Valapp className="org.apache.catalina.valapps.RemoteAddrValapp" deny="*" />
</Context>

Hey Thomas,

  That's a good catch :) It worked for me. I really appreciate your help!

Thank you.

Hello Anurag,

 Thank you very much for your reply. I've tried the same and restarted the instance, but I'm still able to hit this page:  https://jira.dev.****.com/secure/admin/SendBulkMail!default.jspa

 I thought the expected outcome should be, we shouldn't be able to hit this page which mitigates the security issue, Am I correct? 

I really appreciate your help!

Thank you.