{panel:title=Strict key exchange support|borderStyle=solid|borderColor=#3c78b5|titleBGColor=#3c78b5|bgColor=#e7f4fa}
The server now supports strict key exchange in 8.9.10+ (LTS), 8.13.6+, 8.14.5+, 8.15.4+, 8.16.3+, 8.17.1+ and 8.18.0+.
If old SSH clients that don’t support strict key exchange are being used, impacted ciphers can be disabled by adding them in the following properties in $BITBUCKET_HOME/shared/bitbucket.properties:
{noformat}
plugin.ssh.disabled.ciphers=arcfour128, arcfour256, aes128-cbc, aes192-cbc, aes256-cbc, 3des-cbc, blowfish-cbc, [email protected]
plugin.ssh.disabled.macs=hmac-md5, hmac-sha1-96, hmac-md5-96, [email protected], [email protected], [email protected]
{noformat}
{panel}
Bitbucket Data Center version 8.9.8 detects as being vulnerable to the Terrapin SSH vulnerability. [https://nvd.nist.gov/vuln/detail/CVE-2023-48795]
The recommended fix is to configure the SSH server to disable the {{ChaCha20-Poly1305}} cipher and, if using default MACs, avoid enabling any cbc ciphers.