How to secure Bamboo against Poodle by disabling SSLV3

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Purpose

Disabling SSLV3 in Bamboo instances utilizing a Tomcat container in order to secure against the Poodle Exploit.

Solution

  1. Stop Bamboo server,
  2. Edit the <Bamboo server installation directory>/conf/server.xml file:

    server.xml
    <Connector
                    port="8085"
                    protocol="HTTP/1.1"
    
                    maxThreads="150" minSpareThreads="25"
                    connectionTimeout="20000"
                    disableUploadTimeout="true"
                    acceptCount="100"
    
                    enableLookups="false"
                    maxHttpHeaderSize="8192"
    
                    useBodyEncodingForURI="true"
                    URIEncoding="UTF-8"
    
                    redirectPort="8443">
                <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
            </Connector>

    Please note these are default values, yours may look different.

  3. Add the following to the connector:

    sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
  4. Start Bamboo server.

This should do it for Bamboo running default in Tomcat container.

Extra Strength Protection

Consider updating the ciphers Tomcat is using

In-Depth Linux SSLV3 Dive


Last modified on Jun 29, 2021

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.