-
Story
-
Resolution: Fixed
-
Major
-
None
We use Jenkins Jenkins 2.375.2 on OpenJDK11
and we getting vulnerability The remote host allows SSL/TLS connections with one or more Diffie-Hellman moduli less than or equal to 1024 bits.
On port 8443
Vulnerable connection combinations :
SSL/TLS version : TLSv1.2
Cipher suite : TLS1_DHE_RSA_WITH_AES_256_CBC_SHA256
Diffie-Hellman MODP size (bits) : 1024
Warning - This is a known static Oakley Group2 modulus. This may make
the remote host more vulnerable to the Logjam attack.
Logjam attack difficulty : Hard (would require nation-state resources)
SSL/TLS version : TLSv1.2
Cipher suite : TLS1_DHE_RSA_WITH_AES_128_CBC_SHA256
Diffie-Hellman MODP size (bits) : 1024
Warning - This is a known static Oakley Group2 modulus. This may make
the remote host more vulnerable to the Logjam attack.
Logjam attack difficulty : Hard (would require nation-state resources)
SSL/TLS version : TLSv1.2
Cipher suite : TLS12_DHE_RSA_WITH_AES_256_GCM_SHA384
Diffie-Hellman MODP size (bits) : 1024
Warning - This is a known static Oakley Group2 modulus. This may make
the remote host more vulnerable to the Logjam attack.
Logjam attack difficulty : Hard (would require nation-state resources)
SSL/TLS version : TLSv1.2
Cipher suite : TLS12_DHE_RSA_WITH_AES_128_GCM_SHA256
Diffie-Hellman MODP size (bits) : 1024
Warning - This is a known static Oakley Group2 modulus. This may make
the remote host more vulnerable to the Logjam attack.
Logjam attack difficulty : Hard (would require nation-state resources)
SSL/TLS version : TLSv1.2
Cipher suite : TLS12_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
Diffie-Hellman MODP size (bits) : 1024
Warning - This is a known static Oakley Group2 modulus. This may make
the remote host more vulnerable to the Logjam attack.
Logjam attack difficulty : Hard (would require nation-state resources)
I updated java.security file with below configuration
[root@daldpmaster101 ~]# java -version
openjdk version "11.0.19" 2023-04-18 LTS
/etc/java/java-11-openjdk/java-11-openjdk-11.0.19.0.7-1.el8_7.x86_64/conf/security/java.security
jdk.tls.disabledAlgorithms=SSLv2Hello, TLSv1, TLSv1.1, SSLv3, RC4, MD5withRSA, DH keySize < 2048, EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS1_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS1_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS12_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS12_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS12_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, DH_anon, ECDH_anon, anon, NULL, include jdk.disabled.namedCurves
but still not fixed
please let me know if you have any steps for this to fix