Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Workaround for the vulnerabilities aside from upgrade

Paul Bien
Paul Bien September 8, 2020

Around 2 months ago, we just recently upgraded to Jira version 8.9.0 and now we are getting some vulnerabilities on the said version. Here are the vulnerabilities that we have:

- atlassian-jira-cve-2020-4028

- atlassian-jira-cve-2020-4022

- atlassian-jira-cve-2020-14168

- atlassian-jira-cve-2020-14169

- atlassian-jira-cve-2020-14174

- atlassian-jira-cve-2020-14167

I want to ask if there is a way to remediate this vulnerabilities without doing another upgrade to a fixed version. We want to stay with version 8.9.0 for now as doing another upgrade is not feasible for us right now. Please let me know if there's a workaround for these vulnerabilities on version 8.9.0. Thank you!

Answer
Watch
Like Be the first to like this
1205 views

1 answer

1 accepted

0 votes
Answer accepted
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 8, 2020

There is no supported way to fix these vulnerabilities other than to upgrade to a version that does not have them.

If you were on a long-term-support (previously called "enterprise") version, then point-releases or patches from Atlassian would be available.  But you are not, so your only options are to upgrade, or work out your own patches for them (including re-testing every affected area and worrying about compatibility) and render your Jira unsupported

View More Comments
Paul Bien
Paul Bien September 10, 2020

Thanks for the response Nic!

Like
Paul Bien
Paul Bien September 30, 2020

Just a follow-up question Nic, if we are on a long-term-support version, what will be the process to acquire and apply the point-releases or patches from Atlassian? Thanks!

Like
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 30, 2020

I think you got a good answer from Bastien over at https://community.atlassian.com/t5/Jira-Software-questions/What-is-the-process-to-acquire-and-apply-the-point-releases-or/qaq-p/1494496 - it's what I would have said too.

Note that Atlassian sometimes (although not frequently) do "patches" rather than releases.  These have their own installation process which is usually more along the lines of "replace a file or files in the server installation with the distributed files".  But this is rare.

Like
Paul Bien
Paul Bien September 30, 2020

Hi Nic,

So, even with the long-term-support version, if it is a release, the process will still be similar if you want to upgrade to a fixed version in term of vulnerabilities. Just an example, say the long-term-support version is version 8.5.0 and I'm on that version right now and there is a vulnerability for this version and Atlassian released a fix for the vulnerability on version 8.5.1. In this case, I still need to upgrade to 8.5.1. Please confirm if my understand is correct. If my understanding is correct, I want to understand what will be the benefit of being in the long-term-support version in terms of remediating vulnerabilities. Thank you!

Like
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 3, 2020

Yes, most fixes are a point release upgrade - these are trivial to install though and do not make significant changes to the system.

The benefit of LTS is that these point releases will continue to be released for years, so you won't have to make a significant upgrade that might change the way the whole system works just to fix a minor flaw (in your example 8.6 has a couple of rewritten screens compared with 8.5)

Like
Daniel Ebers
Daniel Ebers
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 4, 2020

Hi Paul,

basically yes. The process is much the same. The advantage for the long-term-support release is that a security flaw will be fixed until the version reaches end-of-life.

In case you were on a non-long-term-support-release and a security flaw is detected it is not assured it will get the fix (in a imaginary example v8.6.4 had a security issue you'd be asked to update to 8.7.0). The drawback here is that, as it is a new version, some behaviours, design elements, functions or menus could have (and probably will have!) changed and you would need your users to re-test and double-check if everything still works ok. With a small-ish update from 8.5.6 -> 8.5.7 (let's say) there is so much less potential that users claim there would be something drastically changed. Also, Apps are very more likely to continue to work.

Please also do consider to review the following Community post:
https://community.atlassian.com/t5/Jira-articles/Announcing-the-next-Jira-Long-Term-Support-releases-previously/ba-p/1419019

Cheers,
Daniel

Like
Paul Bien
Paul Bien October 7, 2020

Thank you Nic and Daniel

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
DEPLOYMENT TYPE
SERVER
VERSION
8.9.0
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.