Jira Service Management 11.0.x upgrade notes

Below are some important notes on upgrading to Jira Service Management 11.0.x. For details on the new features and improvements in this release, see:

Jira Service Management 11.0.x release notes

Platform releases allow us to incorporate multiple significant changes (often called “breaking changes”) that aren't compatible with previous versions. These changes establish a strong foundation for more extensive development in future releases.

To increase security and performance, we’ve made changes in our core architecture that require apps to bundle their libraries. We’re collaborating with our Marketplace partners on these changes, however, some apps may not be immediately compatible with the new platform upon release and cause product experience breaks. We recommend that you review your apps before upgrading to avoid service disruptions for your organization.

To check app compatibility, visit Checking app compatibility with application updates or the Atlassian Marketplace to see if your app hosting is compatible with your product version.

Check your email channel configuration
Spring and Jakarta upgrade
Upgrade to jQuery 3
Removal of deprecated components in AUI 10
End of support for LESS
Global serialization filter
Add scopes to REST endpoints to use OAuth 2.0 2LO
OAuth 2.0 security improvements
Basic authentication disabled by default
Updated Tomcat protocols
End of support announcements
App developers
Upgrade procedure

Due to changes in the index structure, you’ll need to perform a full re-index when upgrading to Jira 11. More about Jira indexing

Check your email channel configuration

If you use the Microsoft Graph API protocol to receive customer emails and convert them into requests in Jira, make sure the email channel is configured correctly.

In Jira Service Management 11.0, incorrectly configured email channels won’t successfully pull emails. Previously, the system defaulted to pulling emails from the account that authorized the mailbox.

Explore how to configure an email channel

Spring and Jakarta upgrade

To maintain high security standards and keep dependencies supported and up to date, we’re upgrading Spring to the 6.x line, Jakarta to EE Platform 10, Apache Tomcat to 10.1 as well as other libraries that depend on Spring and Jakarta.

The Apache Tomcat upgrade also introduces changes under the Jakarta Servlet specification. If you rely on custom server settings or connectors, review the following before upgrading:

Check custom server.xml configurations, especially any references to "javax.servlet" APIs. Tomcat 10.1 has migrated to the "jakarta.servlet" namespace.
Verify that any connectors (HTTP, AJP, etc.) are still supported and properly configured in Tomcat 10.1.
Confirm that any security or TLS/SSL settings are compatible with Tomcat 10.1’s default cryptographic protocols.

For detailed information on the changes introduced in Tomcat 10.1, consult the official Apache Tomcat documentation.

Upgrade to jQuery 3

We’ve upgraded jQuery from version 2 (with jquery-migrate@1.4.1) to version 3 (with jquery-migrate@3.4.0) to align on jQuery versions across all Data Center products. This means a significant jQuery version uplift for products containing older versions of jQuery that will make developing cross-product apps easier.

For more details, refer to the jQuery Core 1.9 upgrade guide and jQuery Core 3.0 upgrade guide

Removal of deprecated components in AUI 10

We’re removing some outdated AUI 10 components with design and accessibility issues (Dropdown 1 and Toolbar 1) and updating internal dependencies to better support jQuery 3 and proactively address security issues.

End of support for LESS

To enhance the security and performance, we’re removing the ability to transform LESS to CSS at runtime, requiring LESS to be transpiled into CSS at compile time.

Global serialization filter

We’re implementing a global serialization filter that relies on a central blocklist for Java deserialization, Velocity, Struts, and XStream. This filter is designed to block specific classes and patterns that are recognized as vulnerable to Remote Code Execution (RCE) through publicly known gadget chains.

List of blocked classes and patterns

br.com.anteros.dbcp.AnterosDBCPConfig
com.sun.corba.se.impl.activation.ServerTableEntry
com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator
org.apache.commons.collections.comparators.TransformingComparator
org.apache.commons.collections.comparators.ComparableComparator
java.lang.ProcessBuilder
javax.imageio.ImageIO$ContainsFilter
jdk.nashorn.internal.objects.NativeString
sun.awt.datatransfer.DataTransferer$IndexOrderComparator
sun.swing.SwingLazyValue
.*\$LazyIterator
.*\.Lazy(?:Search)?Enumeration.*
.*\$GetterSetterReflection
.*\$PrivilegedGetter
(?:java|sun)\.rmi\..*
javax\.crypto\..*
.*\$ServiceNameIterator
javafx\.collections\.ObservableList\$.*
.*\.bcel\..*\.util\.ClassLoader
org.apache.commons.collections.comparators.ComparableComparator
org.apache.commons.collections.comparators.TransformingComparator
External sources
org.aspectj.weaver.tools.cache.SimpleCache$StoreableCachingMap
bsh.Interpreter
^com\.mchange\.v2\.c3p0\..*DataSource$
org.apache.click.control.Column$ColumnComparator
clojure.inspector.proxy$javax.swing.table.AbstractTableModel$ff19274a
clojure.lang.PersistentArrayMap
org.apache.commons.beanutils.BeanComparator
org.apache.commons.collections.functors.InvokerTransformer
org.apache.commons.collections.functors.InstantiateTransformer
org.apache.commons.collections.functors.ChainedTransformer
org.apache.commons.collections.functors.ConstantTransformer
org.apache.commons.collections.map.LazyMap
org.apache.commons.collections4.functors.InvokerTransformer
org.apache.commons.collections4.functors.InstantiateTransformer
org.apache.commons.collections4.comparators.TransformingComparator
org.apache.commons.collections4.functors.ChainedTransformer
org.apache.commons.collections4.functors.ConstantTransformer
org.apache.commons.fileupload.disk.DiskFileItem
org.codehaus.groovy.runtime.ConvertedClosure
org.codehaus.groovy.runtime.MethodClosure
org.hibernate.engine.spi.TypedValue
org.hibernate.tuple.component.AbstractComponentTuplizer
org.hibernate.tuple.component.PojoComponentTuplizer
com.sun.rowset.JdbcRowSetImpl
org.jboss.interceptor.builder.InterceptionModelBuilder
org.jboss.interceptor.builder.MethodReference
org.jboss.interceptor.proxy.DefaultInvocationContextFactory
org.jboss.interceptor.proxy.InterceptorMethodHandler
org.jboss.interceptor.reader.ClassMetadataInterceptorReference
org.jboss.interceptor.reader.DefaultMethodMetadata
org.jboss.interceptor.reader.ReflectiveClassMetadata
org.jboss.interceptor.reader.SimpleInterceptorMetadata
org.jboss.interceptor.spi.instance.InterceptorInstantiator
org.jboss.interceptor.spi.metadata.InterceptorReference
org.jboss.interceptor.spi.metadata.MethodMetadata
org.jboss.interceptor.spi.model.InterceptionModel
org.jboss.interceptor.spi.model.InterceptionType
org.jboss.weld.interceptor.builder.InterceptionModelBuilder
org.jboss.weld.interceptor.builder.MethodReference
org.jboss.weld.interceptor.proxy.DefaultInvocationContextFactory
org.jboss.weld.interceptor.proxy.InterceptorMethodHandler
org.jboss.weld.interceptor.reader.ClassMetadataInterceptorReference
org.jboss.weld.interceptor.reader.DefaultMethodMetadata
org.jboss.weld.interceptor.reader.ReflectiveClassMetadata
org.jboss.weld.interceptor.reader.SimpleInterceptorMetadata
org.jboss.weld.interceptor.spi.instance.InterceptorInstantiator
org.jboss.weld.interceptor.spi.metadata.InterceptorReference
org.jboss.weld.interceptor.spi.metadata.MethodMetadata
org.jboss.weld.interceptor.spi.model.InterceptionModel
org.jboss.weld.interceptor.spi.model.InterceptionType
java.rmi.registry.Registry
java.rmi.server.ObjID
java.rmi.server.RemoteObjectInvocationHandler
java.lang.reflect.Proxy
org.python.core.PyObject
org.python.core.PyBytecode
org.python.core.PyFunction
org.mozilla.javascript.NativeJavaObject
org.mozilla.javascript.NativeJavaArray
org.apache.myfaces.context.servlet.FacesContextImpl
org.apache.myfaces.context.servlet.FacesContextImplBase
org.apache.myfaces.el.CompositeELResolver
org.apache.myfaces.el.unified.FacesELContext
org.apache.myfaces.view.facelets.el.ValueExpressionMethodExpression
com.sun.syndication.feed.impl.ObjectBean
org.springframework.beans.factory.ObjectFactory
org.springframework.aop.framework.AdvisedSupport
org.springframework.aop.framework.JdkDynamicAopProxy
org.springframework.aop.target.SingletonTargetSource
org.springframework.core.SerializableTypeWrapper$MethodInvokeTypeProvider
org.springframework.core.SerializableTypeWrapper$TypeProvider
com.vaadin.data.util.NestedMethodProperty
com.vaadin.data.util.PropertysetItem
org.apache.wicket.util.upload.DiskFileItem
org.apache.commons.configuration.ConfigurationMap
flex.messaging.io.amf.ActionMessage
flex.messaging.io.amf.MessageHeader
java.io.InputStream
java.nio.channels.Channel
javax.activation.DataSource
javax.sql.rowset.BaseRowSet
sun.reflect.**
sun.tracing.**
com.sun.corba.**
.*\.ws\.client\.sei\..*
.*\$ProxyLazyValue
com\.sun\.jndi\..*Enumerat(?:ion|or)
.*\$URLData
.*\.xsltc\.trax\.TemplatesImpl
(javax|sun.swing)\..*LazyValue

Add scopes to REST endpoints to use OAuth 2.0 2LO

We’ve introduced @ScopesAllowed to improve security and control over REST endpoints.

Add the @ScopesAllowed annotation to your endpoints to make them accessible using an OAuth 2.0 Client Credentials token (2LO).

For example, this annotation requires that the access token has the WRITE scope before providing access to this endpoint.

@POST
@ScopesAllowed(requiredScope = "WRITE")
public void createEntity(...) {}

Explore Jira OAuth 2.0 scopes for incoming links

OAuth 2.0 security improvements

We're implementing several important changes to our OAuth 2.0 authentication process to enhance security and efficiency.

Enforced global maximum time on access tokens: Access tokens will now have a maximum validity period of 1 hour. This change is designed to improve security by ensuring tokens are refreshed more frequently. You can change the value by setting the atlassian.oauth2.provider.access.token.expiration.seconds system property.
Maximum lifetime of client ID and secret: The lifetime of client IDs and secrets is now 90 days by default. However, you can adjust this setting to a maximum of 730 days. This change aims to encourage regular rotation of credentials. You can change the value by setting the atlassian.oauth2.provider.client.credentials.expiration.seconds system property.
Rotation of client credentials: We recommend regularly rotating your client credentials, including both the client ID and secret, to improve security. Setting up a rotation policy helps reduce the risk if credentials are ever compromised.
Revocation of rotated client credentials: Once client credentials (client ID and secret) are rotated, the previous credentials can be revoked. This ensures that only the most recent credentials remain active, reducing the risk of unauthorized access.
Revocation of user's refresh tokens: We now provide the ability to revoke all refresh tokens associated with a specific user. Additionally, administrators have the authority to revoke all refresh tokens for users within the system. This capability allows for greater control over session management and security.
Maximum number of refresh tokens: The maximum number of refresh tokens allowed per client ID and user is limited to 25. This limitation helps manage resource usage and ensures that token proliferation is kept in check. You can change the value by setting the atlassian.oauth2.provider.refresh.token.limit.per.client.user system property.

Basic authentication disabled by default

We’re disabling authentication with basic authentication by default. This is a first step towards the removal of basic authentication altogether as we develop and mature alternatives to support the remaining few use cases.

Updated Tomcat protocols

We’ve updated the protocols provided by Jira extending the Tomcat protocols with support for password encryption:

Crowd protocol	Based on Tomcat protocol	Supported attributes for password encryption
com.atlassian.secrets.tomcat.protocol.Http11NioProtocolWithPasswordEncryption	Http11NioProtocol	KeystorePass KeyPass SSLPassword TruststorePass
com.atlassian.secrets.tomcat.protocol.Http11Nio2ProtocolWithPasswordEncryption	Http11Nio2Protocol	KeystorePass KeyPass SSLPassword TruststorePass
com.atlassian.secrets.tomcat.protocol.AjpNioProtocolWithPasswordEncryption	AjpNioProtocol	secret
com.atlassian.secrets.tomcat.protocol.AjpNio2ProtocolWithPasswordEncryption	AjpNio2Protocol	secret

The APR/Native library and the APR/Native Connectors, including both AJP and HTTP, are deprecated in Tomcat 10 and will be removed starting from Tomcat 10.1.x. Specifically, the Http11AprProtocol (HTTP connector) and the AjpAprProtocol (AJP connector) are deprecated. Consequently, com.atlassian.secrets.tomcat.protocol.AjpAprProtocolWithPasswordEncryption and com.atlassian.secrets.tomcat.protocol.Http11AprProtocolWithPasswordEncryption are no longer supported in Jira 11.

Changes to supported platforms

For the full list of supported platforms, see Supported platforms.

For previous announcements, see End of support announcements.

We’ve removed support for:

JDK 17
PostgreSQL 15
PostgreSQL 14
PostgreSQL 13
PostgreSQL 12
MySQL 8.0
Oracle 18c
MSSQL Server 2017

Added support

We’ve added support for:

JDK 21
PostgreSQL 17
MySQL 8.4 LTS

This version of Jira will only run on Java 21.

App developers

Check out Preparing for Jira 11.0 for any important changes regarding apps.

Upgrade procedure

To help you upgrade to the latest and greatest:

See Upgrading Jira applications for complete upgrade procedures, including all available upgrade methods and pre-upgrade steps.
For a more tailored upgrade, go to Jira administration, then Applications, and then Plan your upgrade. We’ll recommend a version to upgrade to, run pre-upgrade checks, and provide you with a custom upgrade guide with step-by-step instructions.

Products

Jira Software