Logjam (CVE-2015-4000) およびアトラシアン製品
Please note Java versions before 8 cannot use a Diffie-Hellman key size above 1024bits so make sure to upgrade all application linked products to use Java 8 before increasing the Diffie-Hellman key size above 1024bits.
プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Fisheye および Crucible は除く
問題
A security scan reports that Bamboo/Confluence/Crowd/JIRA/Stash is vulnerable to Logjam (CVE-2015-4000).
原因
Java and TLS-dependent web servers use a Diffie-Hellman 1024 bit-group encryption by default. As a result of this they are vulnerable to a specific security vulnerability, described in full detail in Logjam Attack.
回避策
If Bamboo or Confluence or Crowd or Crucible or Fisheye or JIRA or Stash terminate SSL/TLS:
If the version of the product you are running does not support Java 8 then either upgrade to a version that does support Java 8,or offload the SSL at a reverse-proxy such as Apache or Nginx. Also, check that the version of Java 8 in use is equal to or great than Java 8 update 51.
When using Java 8, set the jdk.tls.ephemeralDHKeySize to 2048in the JVM parameters, for example:
-Djdk.tls.ephemeralDHKeySize=2048You may also wish to follow the details in Security tools report the default SSL Ciphers are too weak.
If Apache/nginx/IIS or another web server terminate SSL/TLS:
Follow the information found at https://weakdh.org/sysadmin.html for the web server you are using. Additionally it's recommended to follow the configuration specified in Mozilla's SSL Config Generator.