Jira Software 10.0.x release notes

Jira Software release notes

On this page

In this section

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

 

We're pleased to present Jira Software 10.0.

Highlights

Get the latest version

More

Read the upgrade notes for important info about this release and see the full list of issues resolved.

 Compatible applications

If you're looking for compatible Jira applications, look no further:


Introducing Data Center Security Hub

We’re pleased to introduce the Data Center Security Hubyour central place for Data Center security documentation.

With the Security Hub, you can proactively manage and enhance the security of your Data Center environment. It offers a wide range of resources to help you navigate the complex landscape of Data Center security effectively. These resources include configuring your instance, monitoring your product health, and managing vulnerabilities.

We’ve also released the Data Center security checklist and best practices for admins. This guide provides valuable insights on safely deploying and administering Atlassian self-managed software.

We value your input and actively encourage feedback. Share your comments on this Community post.

Upgrade to Atlassian Data Center Platform 7

Jira 10.0 includes an upgrade to Atlassian Data Center Platform 7. This upgrade improves the quality of our response to security changes with reduced disruption and breaking changes for Atlassian Marketplace apps.

As part of the upgrade to Platform 7 and with the focus on enhanced security and performance, we’ve made the following updates:

  • Reduced the number of third-party libraries and improving dependency management
  • Upgraded numerous Atlassian and third-party components to benefit from the latest security patches and bug fixes
  • Improved the overall definition of the Java API
  • Implemented the minimum required support for Java 17.

Prepare for the upgrade to Platform 7

Turn off the lights with dark theme

This feature is still a work in progress and some areas aren’t supported yet.

In this release, dark theme becomes partially available for the first time. Give it a try right now and enjoy the new experience for reduced eye strain, enhanced content readability, and visual harmony across work environments.

This feature is switched on by default with the Original theme selected. Additionally, the look and feel won’t apply color choices to both themes if your instance uses a custom header color, it will default to the light theme.

To change your theme, go to your Profile, then Theme, and select Light, Dark, or Match system.

Changes and additions to APIs

To turn off the theming, disable the feature flag: com.atlassian.jira.theme.switcher

Unsupported areas

Because this feature is a beta release, there are some areas that aren’t supported yet.

Full list of unsupported areas

The following components don’t support dark theme yet:

  • Dashboards
  • Plans
  • Help us improve Jira dialog
  • Automation for Jira
  • Parts of the administration area
  • Some reports
  • WebSudo page

The following areas have known visual issues:

  • Profile summary page
  • Some parts of the administration area:
    • Troubleshooting and support page
    • Administering personal access tokens page
    • Terminology page
    • Content delivery network page
    • Rate limiting page
  • Backlog view
  • Create project dialog

In Jira Service Management only:

  • The customer portal

Java 17 becomes the default

Jira 10.0 has been recompiled in JDK 17 with the Java 16 language level. This means that from now on you won’t be able to run Jira in lower Java versions (8 and 11).

Because of the removal of binary installers, Java is no longer bundled with Jira. Install Java manually

Jira Software Data Center is migrated and fully exposes REST v2

Platform 7 and Jira 10.0 have rearchitected the Java APIs used to implement REST resources, which we’re calling REST v2.

These changes will only impact Marketplace partners who develop apps. The underlying libraries, Jackson and Jersey, have been upgraded to the latest versions. REST v2 also makes use of JAX-RS 2. Check out the REST v2 migration guide

End of support for the H2 database engine

In Jira 10.0, we’ve removed support for the H2 database and the H2 library itself from Jira’s distribution. To resolve several security vulnerabilities, the JDBC driver for the H2 database engine won’t be bundled with Jira anymore. Additionally, you’ll no longer be able to evaluate Jira 10.0 using the H2 embedded database.

Updates to Jira automation

With the launch of Jira 9.0, we integrated Jira automation (formerly Automation for Jira) as part of Jira, offering you the convenience of upgrading either through Jira or the Universal Plugin Manager (UPM). To streamline and enhance your experience with Jira automation, we've made the decision to solely offer it as a bundled version starting from Jira 10.0. This is why, going forward, we’ll communicate all Jira automation updates in the Jira release notes.

This means that no future Jira automation versions will be available on the Atlassian Marketplace but we’ll continue to support the security of the existing versions. You'll still be able to access new features and improvements by simply upgrading Jira.

As of Jira 10.0, the bundled version of Jira automation has been updated to align with the changes introduced in this release, including the migration to REST v2.

Velocity template and allowlist security improvements

We're making steps towards verifiably secure installation directories for all Data Center products. These changes not only increase the difficulty for an attacker to exploit filesystem access but also allow customers to verify the state of the product installation.

Starting from Jira 10.0, all Velocity files stored on the filesystem (for example, shared, local home, or any other) will need to be explicitly allowlisted and must be of a specific file type. Files stored inside .jar files and bundled within plugins won't be affected.

In addition, all method invocations within a Velocity template must be explicitly allowlisted. For more information, visit Configuring the Velocity method allowlist and Configuring the Velocity file and file type allowlist.

For now, the Velocity method allowlist is in debug mode so that app developers can adjust to this mechanism and for us to complete the main allowlist and minimize the risk of issues. The debug mode will be disabled at the earliest in the upcoming Long Term Support release.

New default endpoint security annotations

We’re introducing a new set of annotations for Webwork actions, servlets, REST endpoints, and filters to improve endpoint security by giving you better control over access to endpoints. These annotations have been revised to ensure that only the intended users access your application endpoints.

Starting from Jira 10.0, when no annotation is specified, only licensed users will be able to access resources. To change this, annotate all endpoints that require lower security clearance level. You can also annotate all admin and system admin endpoints to provide tighter security measures.

Click here to expand...

If you’re experiencing issues with accessing an endpoint, you can check if this is related to the improved endpoint security by enabling debug logs and repeating the request. Here are the loggers that you need to configure:

  1. For REST endpoints, set com.atlassian.plugins.rest.v2.security.authentication.AuthenticatedResourceFilter to TRACE and search logs for AuthenticatedResourceFilter.

  2. For all other endpoints, set all of the following:

  • com.atlassian.jira.web.filters.annotations.ServletSecurityAnnotationsFilter
  • com.atlassian.jira.web.filters.annotations.JspChecker
  • com.atlassian.jira.web.dispatcher.JiraWebworkActionDispatcher
  • com.atlassian.jira.plugin.servlet.ServletModuleContainerServlet
  • com.atlassian.jira.web.filters.security.AccessCheckFilter

to DEBUG and search logs for [SECURITY ANNOTATION CHECK].

There are two scenarios when this can happen:

  1. An endpoint that should be accessible to logged-in users only was too permissive in Jira 9 and allowed anonymous traffic. By lifting the default security clearance level to logged-in users, we blocked anonymous access to such endpoints. If your integration had used such an endpoint without proper authentication, you'll need to update it.

  2. An endpoint that should be accessible to anonymous users has been overlooked during the update (by Atlassian or an app vendor) and now blocks anonymous access. In this case, either Jira itself or the app needs to be fixedcontact Atlassian Support or the Marketplace app developer, depending on the endpoint type. If the app is developed in-house by your organisation, you can refer to our guide that will help you prepare your Data Center app to comply with secure endpoint defaults.
    Unfortunately, for security reasons, there is no way to change the security clearance level without recompiling code, so fixing requires a new Jira or app version and can't be adjusted by a property.

Security monitoring and alerts

Admins can now promptly identify and address critical security threats. This feature helps monitor and detect suspicious activities, such as modifications to important configurations or changing access rights.

When the system identifies a threat, admins receive email alerts. These alerts contain suggested actions to investigate and address any possible security threats effectively.

Authorized users can use this feature to view, search, and categorize alerts. Upon viewing an alert, a detailed chart depicting the user's historical activities is displayed. This functionality empowers security team members to acquire valuable insights into the user's past actions.

Enabling attachment storage in Amazon S3 without a feature flag

S3 object storage offers an enhanced enterprise experience compared to the Network File System (NFS), especially for customers with large or growing data storage needs. Learn more about configuring Amazon S3 object storage

In Jira 9.11, we introduced the possibility of configuring a custom storage methodAmazon S3 (Simple Storage Service). This feature was available behind the feature flag com.atlassian.jira.attachments.storage.configurable.

Starting from Jira 10.0, this behavior is available without a feature flag as all incompatible APIs have been removed. Learn how to store attachments in Amazon S3

You can also store attachments in a third-party object store that exposes an S3-compatible API. However, we’re not providing direct support for attachments that are stored in an object store other than Amazon S3.

Deprecating MD5 in workflow layouts

We're removing the usage of the MD5 hash from Jira Data Center when reading/writing a workflow layout. As a result, we’ll no longer create the layout.json file when using Export as a workflow for new imported workflows from the Atlassian Marketplace. We’ll continue creating the layout.v2.json file.

We’ve implemented upgrade tasks to convert existing workflow layouts from MD5 to the more secure SHA256 hashing function. The upgrade tasks will be run during the upgrade to Jira 10.0.

Customers interested in transitioning from Jira Data Center to Jira Cloud should first upgrade to Jira 10.0 or newer. Similarly, those looking to migrate from Jira Cloud to Jira Data Center can only do so for Jira 10.0 or a later release.

Almost out of user licenses? Get an early alert

Keep track of your Jira Software and Jira Service Management license seats with our new health check alert. It warns you as you approach your limit, giving you time to either upgrade your license or manage your user count. Additionally, you can customize this alert to notify you about a set number or percentage of available seats. By default, this is set to 10%. Explore how to set up a health check for Jira license limit notifications

Before you upgrade to Jira 10.0

Platform releases allow us to incorporate multiple significant changes (often called breaking changes) that aren't compatible with previous versions. These changes establish a strong foundation for more extensive development in future releases.

In this release, we’ve made significant changes in our core architecture to increase security and performance. Before upgrading, visit the Jira 10.0 upgrade notes to review important upgrade steps and see the full list of issues resolved.

Check the compatibility of your Marketplace apps

As a major release, Jira 10.0 introduces backward-incompatible changes to the apps' API. If you build custom in-house apps, you need to test their compatibility and update them.

If you have installed apps from the Atlassian marketplace or another source, you also need to check their compatibility and update them before performing the upgrade. To check app compatibility, visit Checking app compatibility with application updates or the Atlassian Marketplace to see if your app hosting is compatible with your product version.

Resolved issues

See the full list of the issues we’ve resolved throughout the lifecycle of Jira Software 10.0.

Issues resolved in 10.0.0
Released on  

T Key Summary Status
Refresh

Issues resolved in 10.0.1
Released on 9 September 2024

T Key Summary Status
Refresh

Last modified on Oct 30, 2024

Was this helpful?

Yes
No
Provide feedback about this article

In this section

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.