IBM Support

IV66111: FIX SECURITY VULNERABILITY CVE-2014-3566

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Error Message: N/A
    .
    Stack Trace: N/A
    .
    

Local fix

Problem summary

  • To mitigate the SSL POODLE vulnerability in the IBM JVM, SSLv3
    ptotocol will be explicitly disabled via a system property that
    will be set by default. Even if the SSLv3 protocol is requested,
    JSSE will not allow its negotiation.
    

Problem conclusion

  • A fix is made to IBMJSSE2 provider:1. New property
    "com.ibm.jsse2.disableSSLv3= true <PIPE> false" was added to
    disable SSLv3. The default default is true.2. When SSLv3 is the
    only specified protocol, throw IllegalArgumentException.3. The
    "SSL" protocol label was updated to enable the following
    protocols:Java 5 and Java 6 - TLS 1.0Java 7Server - TLS1.0,
    TLS1.1 and TLS 1.2Client - TLS 1.0Java 8 - TLS 1.0, TLS 1.1 and
    TLS 1.2If the user turns off the system property to disable
    SSLv3 (-Dcom.ibm.jsse2.disableSSLv3=false), then SSLv3 will also
    be enabled plus the protocols listed above.The associated
    Hursley RTC Problem Report is 76936/77313/77639The associated
    Austin CMVC defect is 116040/116060/116061JVMs affected: Java
    5.0, Java 6.0, Java 626, Java 7.0 and Java 727The fix was
    delivered for Java 5.0 SR16FP8, Java 6.0 SR16FP2, Java 626
    SR8FP2, Java 7.0 SR8 and Java 727 SR2The affected jar is
    "ibmprovider2.jar".The build level of this jar for the affected
    releases is "20141024"
    .
    This APAR will be fixed in the following Java Releases:
       7    SR8       (7.0.8.0)
       7 R1 SR2 FP10  (7.1.2.10)
       6    SR16 FP3  (6.0.16.3)
       6 R1 SR8 FP2   (6.1.8.2)
       5.0  SR16 FP8  (5.0.16.8)
    .
    Contact your IBM Product's Service Team for these Service
    Refreshes and Fix Packs.
    For those running stand-alone, information about the Service
    Refreshes and Fix Packs can be found at:
               https://www.ibm.com/developerworks/java/jdk/
    

Temporary fix

Comments

APAR Information

  • APAR number

    IV66111

  • Reported component name

    JAVA 5 SECURITY

  • Reported component ID

    620500125

  • Reported release

    500

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2014-10-20

  • Closed date

    2014-11-05

  • Last modified date

    2014-11-05

  • APAR is sysrouted FROM one or more of the following:

    IV66110

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    JAVA 5 SECURITY

  • Fixed component ID

    620500125

Applicable component levels

  • R500 PSY

       UP

[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.0"}]

Document Information

Modified date:
02 October 2021