problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions2.disallow-old-tls-versions2

profile photo of returntocorpreturntocorp
Author
6,272
Download Count*

Detects setting client protocols to insecure versions of TLS and SSL. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.

Run Locally

Run in CI

Defintion

rules:
  - id: disallow-old-tls-versions2
    message: Detects setting client protocols to insecure versions of TLS and SSL.
      These protocols are deprecated due to POODLE, man in the middle attacks,
      and other vulnerabilities.
    severity: WARNING
    metadata:
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      category: security
      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
      owasp: A03:2017 - Sensitive Data Exposure
      references:
        - https://stackoverflow.com/questions/26504653/is-it-possible-to-disable-sslv3-for-all-java-applications
      subcategory:
        - vuln
      technology:
        - java
      vulnerability: Insecure Transport
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - java
    patterns:
      - pattern: |
          java.lang.System.setProperty("jdk.tls.client.protocols", "...");
      - pattern-not: >
          java.lang.System.setProperty("jdk.tls.client.protocols",
          "TLSv1.2,TLSv1.3");
      - pattern-not: >
          java.lang.System.setProperty("jdk.tls.client.protocols",
          "TLSv1.3,TLSv1.2");
      - pattern-not: |
          java.lang.System.setProperty("jdk.tls.client.protocols", "TLSv1.3");
      - pattern-not: |
          java.lang.System.setProperty("jdk.tls.client.protocols", "TLSv1.2");

Examples

disallow-old-tls-versions2.java

public class Bad {
    public void bad1() {
        // ruleid: disallow-old-tls-versions2
        java.lang.System.setProperty("jdk.tls.client.protocols", "TLSv1.2,TLSv1.3,TLS1");
    }
    public void bad1() {
        // ruleid: disallow-old-tls-versions2
        java.lang.System.setProperty("jdk.tls.client.protocols", "TLSv1.2,TLSv1.3,SSLv3");
    }
}

public class Ok {
    public void bad1() {
        // ok: disallow-old-tls-versions2
        java.lang.System.setProperty("jdk.tls.client.protocols", "TLSv1.2,TLSv1.3");
    }
    public void bad1() {
        // ok: disallow-old-tls-versions2
        java.lang.System.setProperty("jdk.tls.client.protocols", "TLSv1.3");
    }
}