Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

What version of Jira will not be susceptible to the Diffie-Hellman vulnerability?

Greg Elofson
Greg Elofson
Contributor
December 4, 2018

We're about to do a long overdue upgrade. We've considered Jira 7.6 because of its Enterprise designation, and the reduced maintenance it would presumably require. 

 

But, we would like to be sure that Jira 7.6 cannot be affected by the Diffie-Hellman vulnerability. 

 

The research I've done indicates that the determining factor is not necessarily the Jira version, per se, but rather whether the Jira version uses Java version 8 -- because it can be configured to use 2048 bit-group as documented at Logjam (CVE-2015-4000) and Atlassian Products.

 

Can anyone recommend which Jira version to use, in light of our need to avoid the Diffie-Hellman vulnerability?

Answer
Watch
Like Be the first to like this
428 views

1 answer

1 accepted

0 votes
Answer accepted
Alexis Robert
Alexis Robert
Community Champion
December 5, 2018

Hi @Greg Elofson

 

FYI Jira 7.13 is the new Enterprise release, I'd recommend using this one rather than 7.6 if you can :)

 

For your question, it depends how you're implementing SSL on your Jira instance: do you use a reverse-proxy like Apache or Nginx, or Tomcat with keytool to implement certificates ?

The problem is with the size of the DH Group used by your software to exchange security keys, so it can be fixed in different ways depending on how you implement security on your side. 

If you're using a reverse-proxy, then you should fix weak DH following this guide.

If you're using Tomcat, then it should be fixed in server.xml following this guide.

 

Let me know if you have any questions, 

 

--Alexis

View More Comments
Greg Elofson
Greg Elofson
Contributor
December 5, 2018

Hi @Alexis Robert,

Thanks for your quick response! Knowing that Jira 7.13 is the next enterprise edition is very helpful! On the links you attached, it appears that the second link (for server.xml) is the same as the first (DH) link. By intention?

cheers,

Greg

Like
Alexis Robert
Alexis Robert
Community Champion
December 6, 2018

Hi @Greg Elofson

 

yes both link are for the same page, as it has the information for both Tomcat and your webserver if you scroll down the page :)

Like
Greg Elofson
Greg Elofson
Contributor
December 6, 2018

Thank you Alexis! Your help has been very valuable!

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.