IBM Support

IBM SDK, Java Technology Edition: Fix packs to address the Logjam security vulnerability (CVE-2015-4000)

News


Abstract

A potential weakness is exposed with DH and DHE cipher suites that relates to the Logjam security vulnerability. Fix packs are now available that address this issue in all current releases of the IBM® SDK, Java™ Technology Edition.

Content

The Logjam security vulnerability describes a weakness with Transport Layer Security (TLS) protocols V1.2 and earlier versions, caused by the failure to properly convey a DHE_EXPORT cipher suite choice. This specific issue does not affect IBM SDK, Java Technology Edition, because DHE_EXPORT cipher suites are disabled by default. However, the Logjam vulnerability does affect DH and DHE cipher suites; the server can send a weak DH key, which is then subject to a man-in-the-middle attack. To mitigate against this exposure, weak DH keys are disabled at the client by specifying the minimum key size that the client will accept.


DH keys that are less than 768 bits are disabled by default in the java.security file. For example:

jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768

When FIPS mode is enabled in the IBMJSSE2 provider by setting com.ibm.jsse2.usefipsprovider=true, a 2048-bit DH key size is used on the server side.

Note: ECDH and ECDHE cipher suites are not affected by the Logjam vulnerability.

This vulnerability is addressed in the following fix pack levels:

  • IBM SDK, Java Technology Edition, Version 8, Service Refresh 1, Fix Pack 1
  • IBM SDK, Java Technology Edition, Version 7, Release 1, Service Refresh 3, Fix Pack 1
  • IBM SDK, Java Technology Edition, Version 7, Service Refresh 9, Fix Pack 1
  • IBM SDK, Java Technology Edition, Version 6.0.1 (J9 VM2.6), Service Refresh 8, Fix Pack 5
  • IBM SDK, Java Technology Edition, Version 6, Service Refresh 16, Fix Pack 5
  • IBM SDK, Java 2 Technology Edition, Version 5.0, Service Refresh 16, Fix Pack 11

To obtain a fix pack, go to developerWorks.


Note: The IBM SDK and JRE for Windows are available only as part of an IBM product. Please contact your IBM service representative for your product to determine how to obtain this fix.

Document information

More support for: Runtimes for Java Technology
Security

Software version: 5.0, 6.0, 6.1, 7.0, 7.1, 8.0

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows, z/OS

Software edition: Java SE

Reference #: 1959956

Modified date: 19 August 2015


Translate this page: