Security risk of JIRA standalone installation running JRE version 1.6.0_26 vs 1.6.0_29 (latest)

Posted by kayaker243 on Server Fault See other posts from Server Fault or by kayaker243
Published on 2011-11-14T00:31:31Z Indexed on 2011/11/14 1:54 UTC
Read the original article Hit count: 483

Filed under:
|
|
|

Atlassian recently introduced a standalone installer that installs JIRA, along with its own JRE. Unfortunately the JRE Atlassian bundles with this installer is 1.6.0_26, whereas the current version of the JRE is 1.6.0_29. This is potentially concerning given there were vulnerabilities in _26 that were fixed in the subsequent versions. We are currently using the bundled-installer version of JIRA and one contractor has recommended we ditch this for the system-installed JRE.

My question is this: what is the actual security risk of continuing to use the _26 version of the JRE included in the bundled installer? There is no public access to our install of JIRA (only about 20 employees and contractors can login to our JIRA) and it's only accessible on a subdomain of a domain at which there's no publicly-available website. If there's a not insignificant risk inherent in sticking with the older JRE, why hasn't Atlassian upgraded the default JRE?

© Server Fault or respective owner

Related posts about security

Related posts about jira