Logjam (CVE-2015-4000) およびアトラシアン製品

Please note Java versions before 8 cannot use a Diffie-Hellman key size above 1024bits so make sure to upgrade all application linked products to use Java 8 before increasing the Diffie-Hellman key size above 1024bits.

プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Fisheye および Crucible は除く

問題

A security scan reports that Bamboo/Confluence/Crowd/JIRA/Stash is vulnerable to Logjam (CVE-2015-4000).

原因

Java and TLS-dependent web servers use a Diffie-Hellman 1024 bit-group encryption by default. As a result of this they are vulnerable to a specific security vulnerability, described in full detail in Logjam Attack.

回避策

If Bamboo or Confluence or Crowd or Crucible or Fisheye or JIRA or Stash terminate SSL/TLS:

If the version of the product you are running does not support Java 8 then either upgrade to a version that does support Java 8,or offload the SSL at a reverse-proxy such as Apache or Nginx. Also, check that the version of Java 8 in use is equal to or great than Java 8 update 51.

When using Java 8, set the jdk.tls.ephemeralDHKeySize to 2048in the JVM parameters, for example:

-Djdk.tls.ephemeralDHKeySize=2048

You may also wish to follow the details in Security tools report the default SSL Ciphers are too weak.

If Apache/nginx/IIS or another web server terminate SSL/TLS:

Follow the information found at https://weakdh.org/sysadmin.html for the web server you are using. Additionally it's recommended to follow the configuration specified in Mozilla's SSL Config Generator.

 

 

Last modified on Mar 30, 2016

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.