-
Type:
Bug
-
Resolution: Fixed
-
Priority:
Highest
-
Affects Version/s: 8.9.8
-
Component/s: SSH
-
7
-
Severity 3 - Minor
-
334
-
CtB - Improve Existing
Strict key exchange support
The server now supports strict key exchange in 8.9.10+ (LTS), 8.13.6+, 8.14.5+, 8.15.4+, 8.16.3+, 8.17.1+ and 8.18.0+.
If old SSH clients that don't support strict key exchange are being used, impacted ciphers can be disabled by adding them in the following properties in $BITBUCKET_HOME/shared/bitbucket.properties:
plugin.ssh.disabled.ciphers=arcfour128, arcfour256, aes128-cbc, aes192-cbc, aes256-cbc, 3des-cbc, blowfish-cbc, chacha20-poly1305@openssh.com plugin.ssh.disabled.macs=hmac-md5, hmac-sha1-96, hmac-md5-96, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com
Bitbucket Data Center version 8.9.8 detects as being vulnerable to the Terrapin SSH vulnerability. https://nvd.nist.gov/vuln/detail/CVE-2023-48795
The recommended fix is to configure the SSH server to disable the ChaCha20-Poly1305 cipher and, if using default MACs, avoid enabling any cbc ciphers.