Security considerations about JRE versions used in Bitbucket Data Center
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
This article aims to share relevant details about various Java versions that is used in Bitbucket Data Center.
The details shared will mostly be security-focused, but may also contain useful information when considering a Java version to install.
Solution
Bundled JRE
The ZIP and TAR.GZ archives don’t include the bundled JRE.
Starting from 7.21.1 and 8.0, the Bitbucket installer will always use the bundled JRE even if JAVA_HOME or JRE_HOME points to an existing JRE installation.
BSERV-8453-Installer should always use the bundled JRE Closed
Bitbucket Admins can still point to a custom Java installation by updating $BITBUCKET_INSTALL/bin/set-jre-home.sh.
Due to CVE-2024-21147 which may affect users using a vulnerable bundled JRE, it is recommended to upgrade to the following Bitbucket versions or higher: 8.9.20, 8.19.10, 9.2.1
Refer to this page for the JRE version bundled with a specific Bitbucket version: Bundled Tomcat and Java versions
Java 8
SSLv3 and earlier versions were disabled by default in Java 1.8.0_31: Java™ SE Development Kit 8, Update 31 Release Notes
TLS1.0 and 1.1 were disabled by default in Java 8u291-b10
TLS 1.2 is used by Java 8 as the default
TLS 1.3 has been backported to Java 8
The SSL ciphers used in Java 8 are listed here: JSSE Cipher Suite Names
Oracle Java 8u311 and 8u321 are not supported due to JDK-8279618.
It is recommended to use Java 8u261 or higher to avoid failure of SSH operations: SSH operations fail after upgrading Bitbucket Server/DC or Bamboo Server/DC
Java 8 is no longer supported starting with Bitbucket DC 9.0
Java 11
TLS1.0 and 1.1 were disabled by default in Java 11.0.11+9:
Java 11 was the first version to ship with TLS 1.3.
The SSL ciphers used in Java 11 are listed here: JSSE Cipher Suite Names
Due to various bugs in Java 11, it is recommended to use Java 11.0.8 or higher.
https://bugs.openjdk.org/browse/JDK-8209965
Using Java 11 GA (build 11+28) may cause SSLHandshakeException when connecting to the Atlassian Marketplace
BSERV-12374: Java 11 TLS 1.3 problems Closed
BSERV-11796: Failure while importing repositories when running on Java 11 Closed
BSERV-12180: Code search intermittently stops working with Java 11 JRE Closed
BSERV-12131: Webhooks intermittently stop working with Java 11 JRE Closed
Java 11 is no longer supported starting with Bitbucket DC 9.0
Java 17
The default for security handshakes in JDK 17 is TLS 1.3; previous versions of Java used TLS 1.2. (See JDK-8217633)
The SSL ciphers used in Java 17 are listed here: JSSE Cipher Suite Names
Support for Java 17 started with Bitbucket 8.8
Docker images that contain Bitbucket DC 9.0 will only use JDK17, in line with the Supported Platforms page
Java 17 introduced “Preventive GCs,” which may cause more frequent GCs. This was disabled in Java 20, with an option to re-enable it via
-XX:+G1UsePreventiveGC. In Java 21, it has already been removed.Introduced in Java 17: https://bugs.openjdk.org/browse/JDK-8257774
Disabled in Java 20: https://bugs.openjdk.org/browse/JDK-8293861
Due to an Oracle Java bug that causes Git SSH operations to fail, we support only Oracle Java 17.0.10 (in which the bug was fixed) and later.
OracleJava 17.0.0-17.0.9 are not supported by Bitbucket
OpenJDK Java versions are not affected.
https://bugs.java.com/bugdatabase/view_bug?bug_id=JDK-8313742
Java 21
Java 21 is supported starting with Bitbucket 9.3
The SSL ciphers used in Java 21 are listed here: JSSE Cipher Suite Names
Logging / Troubleshooting
Enable gc logging in Bitbucket using the following guide: How to Enable Garbage Collection (GC) Logging on Bitbucket
Generate a heap dump using the following guide: How to generate a heap dump
Generate thread dumps using the following guide: Generate a Thread Dump Externally
Monitoring
Exposeuseful data over JMX using the following guide: Enabling JMX counters for performance monitoring
Was this helpful?