How to upgrade Apache Tomcat version used by Jira
Platform Notice: Server and Data Center Only - This article only applies to Atlassian products on the server and data center platforms.
The information in this page relates to customizations in JIRA. Consequently, Atlassian Support cannot guarantee to provide any support for the steps described on this page as customizations are not covered under Atlassian Support Offerings. Please be aware that this material is provided for your information only and that you use it at your own risk.
Also, please be aware that customizations done by directly modifying files are not included in the upgrade process. These modifications will need to be reapplied manually on the upgraded instance.
This KB is valid for Jira 7 and Jira 8 branches. It was not tested for previous Jira versions.
This article is mainly for users who are using the latest JIRA version and encounter security vulnerability from Apache Tomcat. If you are not using our latest JIRA version, please upgrade JIRA to have the latest fix instead of referring to the steps here.
We strongly recommend testing this in a JIRA staging environment to make sure everything is working and stable before applying it to production.
- Create a Backup for JIRA application installation directory and JIRA application home directory.
We recommend taking a full backup of the database
- Download the Apache Tomcat fix version zip file to a location of your choosing.
- If you're using Windows, you'll want to make sure you download the 64 or 32bit zip as appropriate (as that contains the windows binaries).
- Copy everything from
jira-install/bin, but do not replace any
\*.batfiles - we want to make sure these stay the same.
- Copy everything from
jira-install/liband replace any files that exist - we want to ensure that we have the latest and compatible libraries that are shipped with Tomcat.
- If going to Tomcat 8.5.32 or newer, perform the server.xml change described in Changing server.xml to handle requests with special characters
- Start JIRA, and confirm from System Information that JIRA is running the Apache Tomcat fixed version.
If upgrading to Tomcat 8.5.51 or higher and using an AJP connector, you need to inform a
secret on the AJP connector or disable this requirement by specifying
secretRequired="false" (not recommended) as instructed on Tomcat changelog. Failing to do this will prevent Tomcat from starting with the error below:
The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid.
If anything goes wrong, please revert the changes from the backup directories.