Java Outdated Tls Versions Enabled
Description
Detects the use of deprecated and insecure SSL/TLS protocol versions in Java applications through system properties configuration. Using outdated protocols like SSLv3 or TLS 1.0/1.1 can expose applications to known vulnerabilities such as POODLE and BEAST attacks.
Detection Strategy
• Identifies calls to setProperty method where the first argument is 'jdk.tls.client.protocols'
• Checks if the second argument (protocol list) contains any unsafe versions: SSL, SSLv2Hello, SSLv3, TLS1, TLSv1, or TLSv1.1
• Reports a vulnerability when insecure protocol versions are enabled through this configuration
Vulnerable code example
public class InsecureTransport {
public void configureTransport() {
// Vulnerable: Enables insecure TLS v1.0 which has known cryptographic weaknesses
System.setProperty("jdk.tls.client.protocols", "TLSv1.2,TLSv1.3,TLSv1");
}
}✅ Secure code example
public class SecureTransport {
public void configureTransport() {
// Only enable secure TLS versions (1.2 and 1.3)
System.setProperty("jdk.tls.client.protocols", "TLSv1.2,TLSv1.3");
}
}Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.