Logjam (CVE-2015-4000) and Atlassian Products
Please note Java versions before 8 cannot use a Diffie-Hellman key size above 1024bits so make sure to upgrade all application linked products to use Java 8 before increasing the Diffie-Hellman key size above 1024bits.
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Problem
A security scan reports that Bamboo/Confluence/Crowd/JIRA/Stash is vulnerable to Logjam (CVE-2015-4000).
Cause
Java and TLS-dependent web servers use a Diffie-Hellman 1024 bit-group encryption by default. As a result of this they are vulnerable to a specific security vulnerability, described in full detail in Logjam Attack.
Workaround
If Bamboo or Confluence or Crowd or Crucible or Fisheye or JIRA or Stash terminate SSL/TLS:
If the version of the product you are running does not support Java 8 then either upgrade to a version that does support Java 8,or offload the SSL at a reverse-proxy such as Apache or Nginx. Also, check that the version of Java 8 in use is equal to or great than Java 8 update 51.
When using Java 8, set the jdk.tls.ephemeralDHKeySize
to 2048
in the JVM parameters, for example:
-Djdk.tls.ephemeralDHKeySize=2048
You may also wish to follow the details in Security tools report the default SSL Ciphers are too weak.
If Apache/nginx/IIS or another web server terminate SSL/TLS:
Follow the information found at https://weakdh.org/sysadmin.html for the web server you are using. Additionally it's recommended to follow the configuration specified in Mozilla's SSL Config Generator.