Drawbacks of outdated software versions - why you shouldn’t leave updates unattended
Outdated software version has an impact on system's security, performance and functional effectiveness.
Based on Atlassian’s history of security incidents, the following article describes potential risks associated with old software versions.
Furthermore, we describe the types of product releases and noteworthy improvements in newer Jira and Confluence version releases.
Security flaws and bugs are one of the biggest enemies of your products
Searching for security vulnerabilities in product code is the beloved playground for hackers to attack your system.
Bugs are flaws in a system that cause it to produce an incorrect or unexpected result.
CVE-2019-3396 and CVE-2020-36239 - how do hackers exploit the security flaws
In spring 2019, Atlassian announced a fix for a critical security vulnerability CVE-2019-3396 on Confluence server and Data Center products.
Following the announcement for CVE-2019-3396, hackers started to attack the vulnerable instances, using the Widget Connector macro.
Infected systems were used for cryptocurrency mining and launching distributed denial of service (DDoS) attacks.
In July 2021 Atlassian released another security advisory to address a critical Jira vulnerability CVE-2020-36239 in Jira Data Center (Software, Core) and Jira Service Management Data Center products.
The CVE-2020-36239 Jira vulnerability originates from unrestricted access to Ehcache RMI ports, used by hackers to execute remote code.
Ehcache is an open-source, standards-based cache that boosts performance, offloads databases, and simplifies scalability.
Product versions affected by CVE-2020-36239 that should be updated as soon as possible:
Jira Data Center, Jira Core Data Center ja Jira Software Data Center:
- 6.3.0 <= version < 8.5.16
- 8.6.0 <= version < 8.13.8
- 8.14.0 <= version < 8.17.0
Jira Service Management Data Center:
- 2.0.2 <= version < 4.5.16
- 4.6.0 <= version < 4.13.8
- 4.14.0 <= version < 4.17.0
Release terminology for Atlassian Data Center and server products and important improvements with new product versions
Atlassian product release types:
- platform release (example: Confluence 4.0) contains significant or breaking changes. For example changes or removal of existing APIs, significant changes to the user experience, or removal or a major feature;
- feature release (example: Confluence 4.6) can contain new features, changes to existing features, changes to supported platforms (such as databases, operating systems, Git versions), or removal of features;
- bugfix release (example: Confluence 4.6.2) can contain bug fixes and stability and performance improvements. They may introduce minor changes to existing features, but do not include new features or high-risk changes.
Besides the above, a feature release can also be designated a Long Term Support (LTS) release.
Long Term Support gets backported critical security updates and critical bug fixes during its entire two-year support window.
Organizations with complex instances and large user tiers that require significant planning are recommended to upgrade to Long Term Support release.
Besides ongoing bug fixes and security patches, new product versions include features that improve user experience and work efficiency.
Some remarkable changes for Jira Software, Confluence and Jira Service Management:
Jira Software Data Center:
- faster indexing - upgrade of Lucene, Jira’s search-based subsystem engine available from version 8.0;
- disabling incompatible apps (add-ons) – available from version 8.0;
- accessibility – new options to change your personal accessibility settings – e.g. background colors, patterns on issue statuses, text spacing or underlined links. Available from version 8.9;
- Advanced Roadmaps – available from version 8.15.
Jira Service Management Data Center:
- Insight – Asset Management – included in Jira Service Management from version 4.5;
- managing multiple issues at once with bulk actions – available form version 4.8;
- revamped audit log – available from version 4.8;
- new supported platforms - Microsoft SQL Server 2019 database and Microsoft Edge (Chromium) browser available from version 4.17.
Confluence Data Center:
- bulk apply permissions changes to other spaces – useful when you want to copy group permissions to other spaces. Available from version 7.3;
- Analytics for Confluence – analytics for all the content in your site per space or page - visualize trends in viewing, creating, and updating across your site. Identify popular spaces and active users. Available from version 7.1;
- Team Calendars – create calendars for yourself and your team that are connected to spaces and can be restricted with permissions. As well as adding your own calendar events, you can populate your calendars automatically, with data from: Google, Outlook, iCloud. Available from version 7.11.
Less risks and more functionality with updated versions
Keeping your product version up to date is a good practice towards a secure, efficient and user-friendly system.