Security overview and advisories
This document is for system administrators who want to evaluate the security of the Jira application. The page addresses overall application security and lists the security advisories issued for Jira. As a public-facing web application, Jira’s application-level security is important. This document answers a number of questions that commonly arise when customers ask us about the security of our product.
Other topics that you may be looking for:
For information about permissions in Jira, see Permissions overview.
For guidelines on configuring the security of your Jira site, see Server optimization.
Application Security Overview
When Jira’s internal user management is used, passwords are hashed through the salted PKCS5S2 implementation provided by Embedded Crowd before being stored in the database. There is no mechanism within Jira to retrieve a user's password – when password recovery is performed, a reset password link is generated and mailed to the user's registered address.
When external user management is enabled, password storage is delegated to the external system.
Jira is a 100% pure Java application with no native components. As such it is highly resistant to buffer overflow vulnerabilities – possible buffer overruns are limited to those that are bugs in the Java Runtime Environment itself.
Database queries are generated using standard APIs for parameter replacement rather than string concatenation. As such, Jira is highly resistant to SQL injection attacks.
Jira is a self-contained Java application and does not launch external processes. As such, it is highly resistant to script injection attacks.
Transport Layer Security
Jira does not directly support SSL/TLS. Administrators who are concerned about transport-layer security should set up SSL/TLS at the level of the Java web application server, or the HTTP proxy in front of the Jira application.
For more information on configuring Jira for SSL, see Running Jira over SSL or HTTPS.
Jira delegates session management to the Java application server in which it is deployed. We are not aware of any viable session-hijacking attacks against the Tomcat application server shipped with Jira.
Apps (add-ons) Security
Administrators install third party apps at their own risk. Apps run in the same virtual machine as the Jira server, and have access to the Java runtime environment, and the Jira server API.
Administrators should always be aware of the source of the apps they are installing, and whether they trust those apps.
Administrator Trust Model
Jira is written under the assumption that anyone given System Administrator privileges is trusted. System administrators are able, either directly or by installing plugins, to perform any operation that the Jira application is capable of.
As a security best practice, you should not run Jira as the root/Administrator user. If you want Jira to listen on a privileged network port, you should set up port forwarding or proxying rather than run Jira with additional privileges. The extra-careful may consider running Jira in a virtualized environment.
To help when debugging a problem, Jira provides stack traces through the web interface when an error occurs. These stack traces include information about what Jira was doing at the time, and some information about your deployment server.
Only non-personal information is supplied such as operating system and version and Java version. With proper network security, this is not enough information to be considered dangerous. No usernames or passwords are included.
Finding and Reporting a Security Vulnerability
Atlassian's approach to reporting security vulnerabilities is detailed in How to Report a Security Issue.
Publication of Jira Security Advisories
Atlassian's approach to releasing security advisories is detailed in Security Advisory Publishing Policy.
Atlassian's approach to ranking security issues is detailed in Severity Levels for Security Issues.
Our Security Bugfix Policy
Our approach to releasing patches for security issues is detailed in our Security Bugfix Policy.
There are no new security advisories for Jira. To see all Atlassian security advisories, go to Security Advisories.