Impact of CVE-2020-1938 on Atlassian products

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Fisheye および Crucible は除く

問題

The recently disclosed vulnerability regarding Tomcat affects the following versions:
- Apache Tomcat 6
- Apache Tomcat 7x <7.0.100
- Apache Tomcat 8x <8.5.51
- Apache Tomcat 9x <9.0.31

The exploit is only possible if you are using an AJP connector, not the regular HTTP connector that is used by default in both Jira and Confluence.  You are only at risk for this exploit if you have manually configured your instance to use an AJP connector.  You can verify if you are using an AJP connector by checking your $Jira-INSTALL/conf/server.xml file.  By default the relevant section will look like the below example.  If this is commented out in your instance as denoted by <!-- and -->  then your instance is not at risk for this CVE.  The following example is from an instance that is not affected by this CVE.


         ==============================================================================================================
         AJP - Proxying Jira via Apache over HTTP or HTTPS

         If you're proxying traffic to Jira using the AJP protocol, uncomment the following connector line
         See the following for more information:

            Apache - https://confluence.atlassian.com/x/QiJ9MQ
         ==============================================================================================================
        -->

        <!--
        <Connector port="8009" URIEncoding="UTF-8" enableLookups="false" protocol="AJP/1.3"/>
        -->


At the time of this writing the latest version of Jira, 8.7.1 is shipped with Tomcat 8.5.42 which is still a Tomcat version that is vulnerable to this CVE if the AJP connector is enabled.  If your instance is using the AJP connector you will want to utilize another connector method such as the HTTP connector until Jira/Confluence are released with an updated version of Tomcat.


The following KB should not be utilized on affected versions of Jira:

AJP プロトコルを利用して Apache リバースプロキシを構成する


説明 CVE-2020-1938
製品Jira、Confluence

最終更新日 2022 年 5 月 2 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.