Release Notes
Abstract
WebSphere Application Server java.security file may need manual updates
Content
The java.security file shipped with WebSphere Application Server is a customizable file. WebSphere Application Server does not update this file when fix packs or i-fixes are applied, to avoid overwriting customizations.
Note: As of WebSphere 8.5.5.14, WebSphere no longer overwrites the java.security file for bundled java 8. This document describes what you may need to do if running on an earlier version of WebSphere or if using one of the optional java releases.
WebSphere Application Server Liberty using the Installation Manager (IM) install method, and the WebSphere Application Server Classic may be affected.
The java.security file may need manual updates to comply with both security and performance upgrades.
See the following, organized by Java major version, to determine if your java.security file needs to be manually updated.
Java 8
Java 7 and 7.1
Java 6 and 6.1
Note: As of WebSphere 8.5.5.14, WebSphere no longer overwrites the java.security file for bundled java 8. This document describes what you may need to do if running on an earlier version of WebSphere or if using one of the optional java releases.
WebSphere Application Server Liberty using the Installation Manager (IM) install method, and the WebSphere Application Server Classic may be affected.
The java.security file may need manual updates to comply with both security and performance upgrades.
See the following, organized by Java major version, to determine if your java.security file needs to be manually updated.
Java 8
Java 8 release start point | Description | CVE | Common name | java.security property |
Java 8 GA | Vulnerability in SSLv3 | CVE-2014-3566 | POODLE | jdk.tls.disabledAlgorithms=SSLv3 |
Java 8 SR1 | Vulnerability in RC4 | CVE-2015-2808 | Bar Mitzvah | jdk.tls.disabledAlgorithms=SSLv3, RC4 |
Java 8 SR1 FP1 | Vulnerability with Diffie-Hellman ciphers | CVE-2015-4000 | Logjam | jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize <768 |
Java 8 SR2 | Performance degradation due to secure random source | n/a | n/a | securerandom.source=file:/dev/urandom |
Java 8 SR2 FP10 | Vulnerability in MD5 | CVE-2015-7575 | SLOTH | jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024 -and- jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize <768, MD5withRSA |
Java 8 SR4 FP1 |
jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024,
DSA keySize < 1024 -and-
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, 3DES_EDE_CBC, DESede, EC keySize < 224
|
|||
Java 8 SR4 FP5 |
jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224 -and-
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, 3DES_EDE_CBC, DESede, EC keySize < 224
|
|||
Java 8 SR5 FP10 |
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
-and-
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, 3DES_EDE_CBC, DESede, EC keySize < 224, DES40_CBC, RC4_40
|
|||
Java 8 SR5 FP30 |
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
-and-
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, EC keySize < 224, 3DES_EDE_CBC, anon, NULL
|
Java 7 and 7.1
Java 7/7.1 release start point | Description | CVE | Common name | java.security property |
Java 7.1 SR2 ---- Java 7 SR8 FP10 |
Vulnerability in SSLv3 | CVE-2014-3566 | POODLE | jdk.tls.disabledAlgorithms=SSLv3 |
Java 7.1 SR 3 ----- Java 7 SR9 |
Vulnerability in RC4 | CVE-2015-2808 | Bar Mitzvah | jdk.tls.disabledAlgorithms=SSLv3, RC4 |
Java 7.1 SR3 FP10 ----- Java 7 SR9 FP10 |
Vulnerability with Diffie-Hellman ciphers | CVE-2015-4000 | Logjam | jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize <768 |
Java 7.1 SR3 FP30 ----- Java 7 SR9 FP30 |
Vulnerability in MD5 | CVE-2015-7575 | SLOTH | jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024 -and- jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize <768, MD5withRSA |
Java 7.1 SR4 FP1 ----- Java 7 SR10 FP1 |
jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024 -and-
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, 3DES_EDE_CBC, DESede, EC keySize < 224
|
|||
Java 7.1 SR4 FP5 ----- Java 7 SR10 FP5 |
jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224 -and-
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, 3DES_EDE_CBC, DESede, EC keySize < 224
|
|||
Java 7.1 SR4 FP10 ----- Java 7 SR10 FP10 |
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
-and-
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, 3DES_EDE_CBC, DESede, EC keySize < 224, DES40_CBC, RC4_40
|
|||
Java 7.1 SR4 FP40 ----- Java 7 SR10 FP40 |
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
-and-
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, EC keySize < 224, 3DES_EDE_CBC, anon, NULL
|
Java 6 and 6.1
Minimum Java 6/6.1 | Description | CVE | Common name | java.security property |
Java 6.1 SR8 FP2 ----- Java 6 SR16 FP3 |
Vulnerability in SSLv3 | CVE-2014-3566 | POODLE | jdk.tls.disabledAlgorithms=SSLv3 |
Java 6.1 SR8 FP7 ----- Java 6 SR16 FP7 |
Vulnerability in RC4 | CVE-2015-2808 | Bar Mitzvah | jdk.tls.disabledAlgorithms=SSLv3, RC4 |
Java 6.1 SR8 FP5 ----- Java 6 SR16 FP5 |
Vulnerability with Diffie-Hellman ciphers | CVE-2015-4000 | Logjam | jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize <768 |
Java 6.1 SR8 FP20 ----- Java 6 SR16 FP20 |
Vulnerability in MD5 | CVE-2015-7575 | SLOTH | jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024 -and- jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize <768, MD5withRSA |
Related Information
[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Java SDK","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"},{"code":"PF013","label":"Inspur K-UX"}],"Version":"8.5.5;8.5;8.0;7.0","Edition":"Base;Developer;Liberty;Network Deployment","Line of Business":{"code":"LOB45","label":"Automation"}}]
Was this topic helpful?
Document Information
Modified date:
30 November 2021
UID
swg27045560