Upgrade bundled Tomcat to the latest minor release

2013-06-19T09:30:24
ID ATLASSIAN:JRA-33563
Type atlassian
Reporter mizan
Modified 2017-02-20T04:49:59

Description

Customer did a Security Scan on the instance and founded the version (5.1.8) that he is using subjected to security vulnerabilities on bundled tomcat which is version 6.0.35.

Security Vulnerabilities Information: * http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.36

So customer considering to upgrade to latest JIRA version (6.0.2). However the tomcat version that come bundled with it (7.0.29) is still exposed to security vulnerabilities as stated on the follow documentation from tomcat:

  • http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.30

{quote} Important: Denial of service CVE-2012-3544 When processing a request submitted using the chunked transfer encoding, Tomcat ignored but did not limit any extensions that were included. This allows a client to perform a limited DOS by streaming an unlimited amount of data to the server.

This was fixed in revisions 1378702 and 1378921.

This issue was reported to the Tomcat security team on 10 November 2011 and made public on 10 May 2013.

Affects: 7.0.0-7.0.29

Moderate: DIGEST authentication weakness CVE-2012-3439 Three weaknesses in Tomcat's implementation of DIGEST authentication were identified and resolved:

Tomcat tracked client rather than server nonces and nonce count.

When a session ID was present, authentication was bypassed.

The user name and password were not checked before when indicating that a nonce was stale.

These issues reduced the security of DIGEST authentication making replay attacks possible in some circumstances.

This was fixed in revision 1377807.

The first issue was reported by Tilmann Kuhn to the Tomcat security team on 19 July 2012. The second and third issues were discovered by the Tomcat security team during the resulting code review. All three issues were made public on 5 November 2012.

Affects: 7.0.0-7.0.29

Important: Bypass of security constraints CVE-2012-3546

When using FORM authentication it was possible to bypass the security constraint checks in the FORM authenticator by appending /j_security_check to the end of the URL if some other component (such as the Single-Sign-On valve) had called request.setUserPrincipal() before the call to FormAuthenticator#authenticate().

This was fixed in revision 1377892.

This issue was identified by the Tomcat security team on 13 July 2012 and made public on 4 December 2012.

Affects: 7.0.0-7.0.29 {quote}

Customer requested this information to be conveyed here and to change the future bundled version to a later version to avoid on the security vulnerabilities stated.

Currently the only way to bypass this security threat is by deploying WAR installation with later version of tomcat.