Skip to main content

To protect against the POODLE vulnerability (CVE-2014-3566), Oracle says to disable SSL v3 and v2 from the Java Control Panel:
external image link
But it appears there's nothing stopping any user from simply re-enabling these settings again!

Does anyone know how to prevent users from re-enabling SSL v2 and v3 in Oracle Java?

And how would one do so from the command line, i.e. from a silent pkg pushed to endpoints by JAMF Casper?

We're still running Java 7 (Update 71), but the same question would apply to Java 8 (Update 25), I would presume.

Any ideas would be much appreciated.

If there is not any reason for the user to modify Java then one possibility is to lock down the Java control panel via configuration profile. Even a user with admin privileges would not be able to open it.

Another possibility is a modification to the Oracle deployment properties file that can be used to configure Java. See https://docs.oracle.com/javase/7/docs/technotes/guides/jweb/jcp/properties.html

I say possibility because in my initial glance I did not see that specific setting, though maybe Oracle will add it (after all, they did recently remove one of the riskier security levels).

Terms & ConditionsCookie settings