Platform Notice: Server and Data Center Only - This article only applies to Atlassian products on the server and data center platforms.
The recently disclosed vulnerability regarding Tomcat affects the following versions:
- Apache Tomcat 6
- Apache Tomcat 7x <7.0.100
- Apache Tomcat 8x <8.5.51
- Apache Tomcat 9x <9.0.31
The exploit is only possible if you are using an AJP connector, not the regular HTTP connector that is used by default in both Jira and Confluence. You are only at risk for this exploit if you have manually configured your instance to use an AJP connector. You can verify if you are using an AJP connector by checking your $Jira-INSTALL/conf/server.xml file. By default the relevant section will look like the below example. If this is commented out in your instance as denoted by <!-- and --> then your instance is not at risk for this CVE. The following example is from an instance that is not affected by this CVE.
============================================================================================================== AJP - Proxying Jira via Apache over HTTP or HTTPS If you're proxying traffic to Jira using the AJP protocol, uncomment the following connector line See the following for more information: Apache - https://confluence.atlassian.com/x/QiJ9MQ ============================================================================================================== --> <!-- <Connector port="8009" URIEncoding="UTF-8" enableLookups="false" protocol="AJP/1.3"/> -->
At the time of this writing the latest version of Jira, 8.7.1 is shipped with Tomcat 8.5.42 which is still a Tomcat version that is vulnerable to this CVE if the AJP connector is enabled. If your instance is using the AJP connector you will want to utilize another connector method such as the HTTP connector until Jira/Confluence are released with an updated version of Tomcat.
The following KB should not be utilized on affected versions of Jira: