Confirmation about Vulnerability Note VU 576313 of Apache Commons Collections Java library in Jira and Confluence

Platform Notice: Cloud and Data Center - This article applies equally to both cloud and data center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Problem

User wanted to know if JIRA and Confluence are affected by the following vulnerability note regarding Apache Commons Collection:

Vulnerability Note VU#576313

Diagnosis

Environment

  • Any version of JIRA Server or Confluence Server

Resolution

Only JIRA instances with a Data Center license are vulnerable through ehcache RMI, which is used for clustering, and by default listens on port 40001. Please ensure that you only permit cluster nodes to connect to a JIRA Data Center instance's ehcache RMI port through the use of a firewall and or network segregation.

Only Confluence instances with a Data Center license are vulnerable through Hazelcast, which is used for clustering, and by default listens on port 5801. Please ensure that you only permit cluster nodes to connect to a Confluence Data Center instance's Hazelcast port through the use of a firewall and or network segregation.

Updated on April 24, 2025
Platform
Cloud and Data Center
Products
Jira Software Cloud
Jira Software Data Center
On this pageProblemDiagnosisResolution

Still need help?

The Atlassian Community is here for you.
Ask the Community