Audit Scan Failure due to SSH Diffie-Hellman Modulus <= 1024 Bits (Logjam) port:22

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

 

Problem

While running penetration testing scripts against Hipchat Server OVA, you may potentially run into this vulnerability.

Cause

According to the Weak Diffie-Hellman and the Logjam Attack page:

The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection. The attack is reminiscent of the FREAK attack, but is due to a flaw in the TLS protocol rather than an implementation vulnerability, and attacks a Diffie-Hellman key exchange rather than an RSA key exchange. The attack affects any server that supports DHE_EXPORTciphers, and affects all modern web browsers. 8.4% of the Top 1 Million domains were initially vulnerable.

Resolution

  • In Hipchat Server case, you should disable support for export cipher suites and use a 2048-bit Diffie-Hellman group. 
  • Please refer to the Guide to Deploying Diffie-Hellman for TLS with step-by-step instructions. 
  • If you use SSH, you should upgrade both your server and client installations to the most recent version of OpenSSH, which prefers Elliptic-Curve Diffie-Hellman Key Exchange.

 

Last modified on Jan 19, 2018

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.