IBM Support

WebSphere Application Server java.security file

Release Notes


Abstract

WebSphere Application Server java.security file may need manual updates

Content

The java.security file shipped with WebSphere Application Server is a customizable file. WebSphere Application Server does not update this file when fix packs or i-fixes are applied, to avoid overwriting customizations.

Note: As of WebSphere 8.5.5.14, WebSphere no longer overwrites the java.security file for bundled java 8.  This document describes what you may need to do if running on an earlier version of WebSphere or if using one of the optional java releases.

WebSphere Application Server Liberty using the Installation Manager (IM) install method, and the WebSphere Application Server Classic may be affected.

The java.security file may need manual updates to comply with both security and performance upgrades.

See the following, organized by Java major version, to determine if your java.security file needs to be manually updated.

Java 8
 
Java 8 release start point Description CVE Common name java.security property
Java 8 GA Vulnerability in SSLv3 CVE-2014-3566 POODLE jdk.tls.disabledAlgorithms=SSLv3
Java 8 SR1 Vulnerability in RC4 CVE-2015-2808 Bar Mitzvah jdk.tls.disabledAlgorithms=SSLv3, RC4
Java 8 SR1 FP1 Vulnerability with Diffie-Hellman ciphers CVE-2015-4000 Logjam jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize <768
Java 8 SR2 Performance degradation due to secure random source n/a n/a securerandom.source=file:/dev/urandom
Java 8 SR2 FP10 Vulnerability in MD5 CVE-2015-7575 SLOTH jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
-and-
jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize <768, MD5withRSA
Java 8 SR4 FP1
jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024,
    DSA keySize < 1024
-and-
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, 3DES_EDE_CBC, DESede,   EC keySize < 224
Java 8 SR4 FP5
jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, 
    DSA keySize < 1024, EC keySize < 224
-and-
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, 3DES_EDE_CBC, DESede,  EC keySize < 224
Java 8 SR5 FP10
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer,  RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
-and-
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, 3DES_EDE_CBC, DESede,  EC keySize < 224, DES40_CBC, RC4_40
Java 8 SR5 FP30
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer,  RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
-and-
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, DESede,  EC keySize < 224, 3DES_EDE_CBC, anon, NULL



Java 7 and 7.1
 
Java 7/7.1 release start point Description CVE Common name java.security property
Java 7.1 SR2
----
Java 7 SR8 FP10
Vulnerability in SSLv3 CVE-2014-3566 POODLE jdk.tls.disabledAlgorithms=SSLv3
Java 7.1 SR 3
-----
Java 7 SR9
Vulnerability in RC4 CVE-2015-2808 Bar Mitzvah jdk.tls.disabledAlgorithms=SSLv3, RC4
Java 7.1 SR3 FP10
-----
Java 7 SR9 FP10
Vulnerability with Diffie-Hellman ciphers CVE-2015-4000 Logjam jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize <768
Java 7.1 SR3 FP30
-----
Java 7 SR9 FP30
Vulnerability in MD5 CVE-2015-7575 SLOTH jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
-and-
jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize <768, MD5withRSA
Java 7.1 SR4 FP1
-----
Java 7 SR10 FP1
jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024,
    DSA keySize < 1024
-and-
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, 3DES_EDE_CBC, DESede,   EC keySize < 224
Java 7.1 SR4 FP5
-----
Java 7 SR10 FP5
jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, 
    DSA keySize < 1024, EC keySize < 224
-and-
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, 3DES_EDE_CBC, DESede,  EC keySize < 224
Java 7.1 SR4 FP10
-----
Java 7 SR10 FP10
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer,  RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
-and-
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, 3DES_EDE_CBC, DESede,  EC keySize < 224, DES40_CBC, RC4_40
Java 7.1 SR4 FP40
-----
Java 7 SR10 FP40
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer,  RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
-and-
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, DESede,  EC keySize < 224, 3DES_EDE_CBC, anon, NULL


Java 6 and 6.1

 
Minimum Java 6/6.1 Description CVE Common name java.security property
Java 6.1 SR8 FP2
-----
Java 6 SR16 FP3
Vulnerability in SSLv3 CVE-2014-3566 POODLE jdk.tls.disabledAlgorithms=SSLv3
Java 6.1 SR8 FP7
-----
Java 6 SR16 FP7
Vulnerability in RC4 CVE-2015-2808 Bar Mitzvah jdk.tls.disabledAlgorithms=SSLv3, RC4
Java 6.1 SR8 FP5
-----
Java 6 SR16 FP5
Vulnerability with Diffie-Hellman ciphers CVE-2015-4000 Logjam jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize <768
Java 6.1 SR8 FP20
-----
Java 6 SR16 FP20
Vulnerability in MD5 CVE-2015-7575 SLOTH jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
-and-
jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize <768, MD5withRSA

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Java SDK","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"},{"code":"PF013","label":"Inspur K-UX"}],"Version":"8.5.5;8.5;8.0;7.0","Edition":"Base;Developer;Liberty;Network Deployment","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
30 November 2021

UID

swg27045560