Help

How to prevent users from re-enabling SSL v2 and v3 in Oracle Java (JDK and JRE)?

mthakur
Contributor

Posted on β€Ž11-18-2014 09:03 AM

To protect against the POODLE vulnerability (CVE-2014-3566), Oracle says to disable SSL v3 and v2 from the Java Control Panel:
external image link
But it appears there's nothing stopping any user from simply re-enabling these settings again!

Does anyone know how to prevent users from re-enabling SSL v2 and v3 in Oracle Java?

And how would one do so from the command line, i.e. from a silent pkg pushed to endpoints by JAMF Casper?

We're still running Java 7 (Update 71), but the same question would apply to Java 8 (Update 25), I would presume.

Any ideas would be much appreciated.

0 Kudos
1 REPLY 1

SeanA
Contributor III

Posted on β€Ž11-21-2014 08:16 PM

If there is not any reason for the user to modify Java then one possibility is to lock down the Java control panel via configuration profile. Even a user with admin privileges would not be able to open it.

Another possibility is a modification to the Oracle deployment properties file that can be used to configure Java. See https://docs.oracle.com/javase/7/docs/technotes/guides/jweb/jcp/properties.html

I say possibility because in my initial glance I did not see that specific setting, though maybe Oracle will add it (after all, they did recently remove one of the riskier security levels).

0 Kudos