Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

We are facing Vulneribility in JIRA

Prasad Nagarale
Prasad Nagarale January 30, 2023

Please suggest us to which version we have to Upgrade Jira to Latest Version. Based on given Vulnerabilities or give me any other solution to resolve these Vulnerabilities.

Jira:

Current Jira Version: v8.20.10
Server version: Apache/2.4.37 (Red Hat Enterprise Linux)
Apache Tomcat/8.5.78

 

Below are the Vulnerabilities:

  • Vulnerable Server Version (Apache RHEL 2.4.37) was running on multiple hosts.-> It was observed that the multiple hosts (13.234.49.120 & 3.6.35.140) were running Apache HTTP Server version 2.4.37 which is outdated and vulnerable. Apache version needs to be upgraded to the latest and supported version ( Latest version- 2.4.54)
  • Multiple hosts were running vulnerable versions of jQuery-> It was observed that remote host (13.234.29.120) was running vulnerable jQuery UI version 2.24 which is vulnerable to to various vulnerabilities. Please upgrade to latest and jQuery version.
  • Multiple hosts are vulnerable to Lucky13 vulnerability- It was observed that the Host (3.6.35.140 ) is vulnerable to Lucky13 vulnerability and to remediate the vulnerability, we should remove the CBC ciphers and use only AES-GCM Ciphers.

 

Answer
Watch
Like Be the first to like this
614 views

2 answers

0 votes
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 30, 2023

Where are you terminating your SSL?

Your three reports all seem to be referring to Apache, which is often used as a proxy server to put in front of a Jira system, and used to do (amongst other things), the SSL work.

Jira runs on the application server Apache Tomcat, a totally different bit of software.  

From your question, we can't tell where your SSL is being done.  I think it is Apache, as you mention 2.2 and 2.4 as versions, and Jira 8.20 runs on Tomcat 8.something.

So the simple answer is likely to be that this is not a Jira problem.  Upgrade your Apache proxy to a non-vulnerable version, you don't need to look at Jira at all.

Reply
0 votes
Clark Everson
Clark Everson
Community Champion
January 30, 2023

Hi @Prasad Nagarale 

Looking at your version you are on 8.20.10

8.20 is what is considered a long term release. As vulnerabilities are fixed the long term releases are updated for two years

You are currently 7 versions behind for the 8.20.x security patches: https://confluence.atlassian.com/jirasoftware/jira-software-8-20-x-release-notes-1086411771.html

The best practice with LTS is to update them as the new .x version comes out, this avoids security issues

So my recommendation would be to update to 8.20.17

 

Best,
Clark

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security