Audit Scan Failure due to SSH Diffie-Hellman Modulus <= 1024 Bits (Logjam) port:22

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Fisheye および Crucible は除く

 

問題

While running penetration testing scripts against Hipchat Server OVA, you may potentially run into this vulnerability.

原因

According to the Weak Diffie-Hellman and the Logjam Attack page:

The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection. The attack is reminiscent of the FREAK attack, but is due to a flaw in the TLS protocol rather than an implementation vulnerability, and attacks a Diffie-Hellman key exchange rather than an RSA key exchange. The attack affects any server that supports DHE_EXPORTciphers, and affects all modern web browsers. 8.4% of the Top 1 Million domains were initially vulnerable.

ソリューション

  • In Hipchat Server case, you should disable support for export cipher suites and use a 2048-bit Diffie-Hellman group. 
  • Please refer to the Guide to Deploying Diffie-Hellman for TLS with step-by-step instructions. 
  • If you use SSH, you should upgrade both your server and client installations to the most recent version of OpenSSH, which prefers Elliptic-Curve Diffie-Hellman Key Exchange.

 

最終更新日: 2018 年 1 月 19 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.