Lucene search

K
atlassian[email protected]JRASERVER-65102
HistoryApr 17, 2017 - 8:48 a.m.

Update bundled Apache Tomcat due to security vulnerabilities

2017-04-1708:48:35
jira.atlassian.com
13

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.974

Percentile

100.0%

There are a few vulnerabilities reported:

CVE-2017-5648 - [http://mail-archives.us.apache.org/mod_mbox/www-announce/201704.mbox/<[email protected]>]

CVE-2017-5650 - [http://mail-archives.us.apache.org/mod_mbox/www-announce/201704.mbox/<[email protected]>]

CVE-2017-5651 - [http://mail-archives.us.apache.org/mod_mbox/www-announce/201704.mbox/<[email protected]>]

CVE-2016-6817 - [https://vulners.com/cve/CVE-2016-6817]

CVE-2016-6816 - [https://vulners.com/cve/CVE-2016-6816]

For CVE-2017-5650 and CVE-2017-5651, the Severity is Important and:
{quote}Versions Affected:

  • Apache Tomcat 9.0.0.M1 to 9.0.0.M18
  • Apache Tomcat 8.5.0 to 8.5.12
  • Apache Tomcat 8.0.x and earlier are not affected{quote}
    {quote}Users of the affected versions should apply one of the following
    mitigations:
  • Upgrade to Apache Tomcat 9.0.0.M19 or later
  • Upgrade to Apache Tomcat 8.5.13 or later{quote}
    (+) Moving forward, fix versions of JIRA should be bundled with Tomcat 8.5.13/9.0.0.M19 or above.
    h5. Workaround

If Tomcat is to be manually upgraded, please refer to [How to upgrade Apache Tomcat version in JIRA 7.x|https://confluence.atlassian.com/display/JIRAKB/How+to+upgrade+Apache+Tomcat+version+in+JIRA+7.x]. Currently Tomcat 8.5.13 and 8.5.14 are available.

(!) Manually upgrading Tomcat is not recommended or supported.

Affected configurations

Vulners
Node
atlassianjira_data_centerRange7.3.0
OR
atlassianjira_data_centerRange7.3.4
OR
atlassianjira_data_centerRange<7.11.0
OR
atlassianjira_data_centerRange<7.6.9

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.974

Percentile

100.0%