Security risk of JIRA standalone installation running JRE version 1.6.0_26 vs 1.6.0_29 (latest)
Posted
by
kayaker243
on Server Fault
See other posts from Server Fault
or by kayaker243
Published on 2011-11-14T00:31:31Z
Indexed on
2011/11/14
1:54 UTC
Read the original article
Hit count: 483
Atlassian recently introduced a standalone installer that installs JIRA, along with its own JRE. Unfortunately the JRE Atlassian bundles with this installer is 1.6.0_26, whereas the current version of the JRE is 1.6.0_29. This is potentially concerning given there were vulnerabilities in _26 that were fixed in the subsequent versions. We are currently using the bundled-installer version of JIRA and one contractor has recommended we ditch this for the system-installed JRE.
My question is this: what is the actual security risk of continuing to use the _26 version of the JRE included in the bundled installer? There is no public access to our install of JIRA (only about 20 employees and contractors can login to our JIRA) and it's only accessible on a subdomain of a domain at which there's no publicly-available website. If there's a not insignificant risk inherent in sticking with the older JRE, why hasn't Atlassian upgraded the default JRE?
© Server Fault or respective owner