Security overview and advisories

This document is for system administrators who want to evaluate the security of the Jira application. The page addresses overall application security and lists the security advisories issued for Jira. As a public-facing web application, Jira’s application-level security is important. This document answers a number of questions that commonly arise when customers ask us about the security of our product.

Other topics that you may be looking for:

Application Security Overview

Password Storage

When Jira’s internal user management is used, passwords are hashed through the salted PKCS5S2 implementation provided by Embedded Crowd before being stored in the database. There is no mechanism within Jira to retrieve a user's password – when password recovery is performed, a reset password link is generated and mailed to the user's registered address.

When external user management is enabled, password storage is delegated to the external system.

Buffer Overflows

Jira is a 100% pure Java application with no native components. As such it is highly resistant to buffer overflow vulnerabilities – possible buffer overruns are limited to those that are bugs in the Java Runtime Environment itself.

SQL Injection

Database queries are generated using standard APIs for parameter replacement rather than string concatenation. As such, Jira is highly resistant to SQL injection attacks.

Script Injection

Jira is a self-contained Java application and does not launch external processes. As such, it is highly resistant to script injection attacks.

Transport Layer Security

Jira does not directly support SSL/TLS. Administrators who are concerned about transport-layer security should set up SSL/TLS at the level of the Java web application server, or the HTTP proxy in front of the Jira application.

For more information on configuring Jira for SSL, see Running Jira over SSL or HTTPS.

Session Management

Jira delegates session management to the Java application server in which it is deployed. We are not aware of any viable session-hijacking attacks against the Tomcat application server shipped with Jira.

Apps (add-ons) Security

Administrators install third party apps at their own risk. Apps run in the same virtual machine as the Jira server, and have access to the Java runtime environment, and the Jira server API.

Administrators should always be aware of the source of the apps they are installing, and whether they trust those apps.

Administrator Trust Model

Jira is written under the assumption that anyone given System Administrator privileges is trusted. System administrators are able, either directly or by installing plugins, to perform any operation that the Jira application is capable of.

As a security best practice, you should not run Jira as the root/Administrator user. If you want Jira to listen on a privileged network port, you should set up port forwarding or proxying rather than run Jira with additional privileges. The extra-careful may consider running Jira in a virtualized environment.

Stack Traces

To help when debugging a problem, Jira provides stack traces through the web interface when an error occurs. These stack traces include information about what Jira was doing at the time, and some information about your deployment server.

Only non-personal information is supplied such as operating system and version and Java version. With proper network security, this is not enough information to be considered dangerous. No usernames or passwords are included.

Finding and Reporting a Security Vulnerability

Atlassian's approach to reporting security vulnerabilities is detailed in How to Report a Security Issue.

Publication of Jira Security Advisories

Atlassian's approach to releasing security advisories is detailed in Security Advisory Publishing Policy.

Severity Levels

Atlassian's approach to ranking security issues is detailed in Severity Levels for Security Issues.

Our Security Bugfix Policy

Our approach to releasing patches for security issues is detailed in our Security Bugfix Policy.

Security Advisories

There are no new security advisories for Jira. To see all Atlassian security advisories, go to Security Advisories.

Last modified on Jan 28, 2019

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.