August 2019 Atlassian Release Highlights

2 september 2019

Welcome to the August 2019 edition of our monthly recurring blog post covering the highlights of Atlassian Server and Data Center product updates. For each Server and Data Center product, we cover a selection of the most exciting new features, bug fixes and security advisories that are released in the last month.

As TMC ALM, we provide services for keeping your products up-to-date. We have a lot of experience with upgrading Atlassian environments safely and securely. Your data and business continuation has our top priority!
For more information, please check out our services page or contact us.

Jira’s August Release Highlights

Jira 8.3.1, 8.3.2 and 8.3.3 (Jira Service Desk 4.3.1, 4.3.4 and 4.3.3) are released by Atlassian this month.

Jira 8.3.1 and Jira Service Desk 4.3.1

These releases solely contain the full fix for the i18n-bug. Please refer to the previous edition of this blog series for further details.

Jira 8.3.2 and Jira Service Desk 4.3.2

With Jira 8.3.2 Atlassian fixes a huge amount of outstanding major security bugs and low priority bugs. Below is a list of the most interesting ones.

  • When creating a linked issue and copying attachments a Java exception is thrown. The issue is created but this isn’t visible due to the exception thrown. This issue is fixed (JRASERVER-68980).
    Since Jira 8.2.2 the logs would randomly be flooded with ScrollIntoView.js and DefaultMessageOptions.js warnings, especially when searching for issues using Issue Navigator. This is reported to cause slowness in several cases. Fixed (JRASERVER-69605).
  • The wiki renderer component in Jira before version 7.13.6, and from version 8.0.0 before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via cross-site scripting (XSS) vulnerability in image attribute specification. Fixed in Jira 8.3.2 and Enterprise release 7.13.6 (JRASERVER-69779).
  • A major security vulnerability (not critical) has been fixed with Jira 8.3.2 and Enterprise release 7.13.6. The ChangeSharedFilterOwner resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to attack users, in some cases be able to obtain a user’s Cross-site request forgery (CSRF) token, via an open redirect vulnerability (JRASERVER-69780/CVE-2019-11589).
  • Another major security vulnerability (not critical) has been fixed with Jira 8.3.2 and Enterprise release 7.13.6. The ViewSystemInfo class doGarbageCollection method in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to trigger garbage collection via a Cross-site request forgery (CSRF) vulnerability (JRASERVER-69781/CVE-2019-11588).
  • The third major security vulnerability (not critical) that has been fixed with Jira 8.3.2 and Enterprise release 7.13.6 concerns various exposed resources of the ViewLogging class in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allow remote attackers to modify various settings via Cross-site request forgery (CSRF) [JRASERVER-69782/CVE-2019-11587].
  • Last but not least a medium security vulnerability (CVE-2019-11584) has been fixed from Jira 8.3.2 onwards. This concerns the MigratePriorityScheme resource in Jira before version 8.3.2, which allows remote attackers to inject arbitrary HTML or JavaScript via cross-site scripting (XSS) vulnerability in the priority icon URL of an issue priority (JRASERVER-69785).

Jira Service Desk 4.3.2 contains a whole bunch of specific JSD minor bug fixes as well; here are the highlights:

  • Incoming mail stops processing if the email subject field carries more than 255 characters (JSDSERVER-6441).
  • There are some issue statuses (Waiting for support) & (Waiting for customer) that are auto-generated by Jira Service Desk and are categorized with “No Category”. The “No Category” is not allowed in normal Jira (JSDSERVER-6355).
  • If Modify Reporter permission is revoked from Service Desk Customer – Portal Access, then customers with mixed-case username can’t edit request participants from Customer Portal (JSDSERVER-6345).
  • If “Assign issue” permission is not provided to Portal Customers, they will be unable to share requests with other customers (JSDSERVER-6267).

Jira 8.3.3 and Jira Service Desk 4.3.3

Jira 8.3.3 contains a critical fix for a bug that causes Jira not to start on AWS (Amazon Cloud) environments and two minor bug fixes which are not very interesting.

For Jira Service Desk, release 4.3.3 includes a “Highest”-priority bug fix which repairs various Microsoft SQL Server problems that started occurring since JSD 4.3.0.

Our Advice

Jira 8.3.2 is pretty much a must upgrade considering the amount of security vulnerabilities fixed and a major bug that is fully solved. If you are working with the Enterprise releases, Jira 7.13.6 is the corresponding must upgrade.

The same goes for Jira Service Desk; we suggest upgrading to 4.3.2 as soon as possible. If you are using a MS SQL database, please upgrade to JSD 4.3.3.

Confluence’s August Release Highlights

On August 28th, Atlassian published a security advisory for Confluence. Releases 6.6.16, 6.13.8 and 6.15.9 have been released that fixes this vulnerability.

In the meantime, Atlassian also released Confluence 6.15.8 which in turn contained a bug making Collaborative editing unusable on Windows. This has been fixed in 6.15.9 and enterprise release 6.13.8.

Confluence Security Advisory CVE-2019-3394

A critical security advisory for all Confluence versions prior to 6.15.8 is published on August 28th, 2019.

What this comes down to is that someone with Add Page space permissions is able to read files from the <install-directory>/confluence/WEB-INF directory. This folder might contain LDAP credentials, or other sensitive information.

Please read the “Our Advice”-section or contact us on how to mitigate the risk or to consult you on upgrading Jira to a secure version.

Confluence 6.15.8 and 6.15.9 contain one notable bugfix which repairs XML Site Exports created out of Confluence 6.14.0 and higher that may fail to be imported into new Confluence instance (CONFSERVER-58556).

Our Advice

Please verify if your <install-directory>/confluence/WEB-INF directory and its subdirectories (especially /classes/) for any files that contain LDAP or Crowd credentials (, atlassian-user.xml), or files that contain any other sensitive data that may have been put in this directory. If nothing is found, this vulnerability is not immediately exploitable and upgrading is not worth the time and effort. Otherwise either upgrade to Confluence 6.15.9 or apply the temporary workaround provided in CVE-2019-3394.

Please read our previous edition regarding detailed upgrade advice.

Bitbucket’s August Release Highlights

The Bitbucket 6.6 feature release has been released by Atlassian on August 27th. This release includes new features that lighten the load for admins and streamline the developer workflow.

The most notable addition in our opinion is Projects Links. This is the ability to link a bitbucket project to projects in other Atlassian applications. For example, with Project Links set up between Bitbucket Server and Jira, when you create Bitbucket branch from Jira, repositories from the linked Bitbucket project are prioritized in the repo list, making it easy to pick the right one. What’s more, these links also work the other way, and when you create a Jira issue from a comment in Bitbucket the linked Jira project is pre-selected in the project list. So, no more selecting repositories from other projects by accident for your tickets.

Most bug fixes we’re minor, but there are some additional interesting features in this release:

  • Rate limiting allows your Bitbucket instance to self-protect against large amounts of requests. It keeps Bitbucket stable by giving you control over how many requests automations can make, and how often they can make them. Read more here…
  • Commenting on a Pull Request now allows you to suggest code changes directly in the comment.

Our Advice

WARNING: On September 2nd, Atlassian released bug fix release 6.6.1 for Bitbucket Server and Data Center. The backup client in Bitbucket 6.6.0 is not functioning properly and could crash your Bitbucket instance. Do not install Bitbucket 6.6.0, but 6.6.1 instead!

It all depends on what release you are currently at. Unless you are on Bitbucket 6.1.2 or lower, upgrading is not necessary. A lot of nice features have been added since that release though. With Bitbucket 6.6, the addition of Projects Links, could make managing Jira tickets with commits a lot less error prone for your users…

Bamboo’s August Release Highlights

Bamboo received no new releases in August.

That’s it! We hope you found it useful and if you have any questions regarding the above, do not hesitate to contact us!