Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events

Forums

Articles
Create
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Sendbulkmail endpoint in JIRA

Pangeel Shubha
Pangeel Shubha July 12, 2019

Hi,

 

We received the email from Atlassian about the vulnerability and we are unable to upgrade our version right away.

We have disabled the Contact Administrators Form option in settings as a quick work around.

But we are unsure if we run on Apache Tomcat. Assuming we don't, where do we disable the sendbulkmail endpoint.

Answer
Watch
Like Be the first to like this
394 views

2 answers

1 vote
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 12, 2019

Hi Pangeel,

All versions of Jira Server and Data Center bundle with them an Apache Tomcat webserver. 

This is a java based webserver that hosts Jira's website.  You might also have a reverse proxy or a load balancer in front of Jira that might be passing traffic to Tomcat, but you must have Tomcat * (unless of course you are running a really old version of Jira WAR, which could in theory be deployed to some other kind of web server container, but I doubt this since Atlassian has not supported these for a few years now).

To that end, it's possible you could block access to this in your proxy/load balancer, but it's probably best to do so in Tomcat, in case you have any internal traffic that can reach your Jira site without having to pass through the proxy.

However since that part of this advisory is only exploitable by users with Jira Administrator rights, it feels like that part of this mitigation is far less a priority if you trust your administrators.

I hope this helps.

Andy

View More Comments
Pangeel Shubha
Pangeel Shubha July 14, 2019

Thanks @Andy Heinzer . I am one of the Jira Administrators for configurations. The installation and others were done by another teammate who is not part of the team now.

Shall try to investigate further about Tomcat and modify accordingly. Thanks again.

Like
Reply
0 votes
Fadoua
Fadoua
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
July 12, 2019

@Pangeel Shubha 

Did you try the following steps:

https://confluence.atlassian.com/kb/how-to-block-access-to-a-specific-url-at-tomcat-966668691.html

Best,

Fadoua

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
atlassian, dance, gamification, badge, razzle dazzle, team '25 anaheim

Earn a one-day badge today and do the Atlazzle Dazzle! 🕺

Today only! Share what you’re the most excited about for Team ‘25 or just dance out the beginning of a new quarter with us.

Comment the post
AUG Leaders

Atlassian Community Events

Community
Forums
FAQs Forums guidelines
Learning
About learning Resources
Events
Copyright © 2025 Atlassian
Privacy Policy Terms Security
Welcome illustration

Welcome to the new Atlassian Community

Online forums and learning are now in one easy-to-use experience.

By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.