problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions2.disallow-old-tls-versions2
semgrep
Author
6,272
Download Count*
License
Detects setting client protocols to insecure versions of TLS and SSL. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.
Run Locally
Run in CI
Defintion
rules:
- id: disallow-old-tls-versions2
message: Detects setting client protocols to insecure versions of TLS and SSL.
These protocols are deprecated due to POODLE, man in the middle attacks,
and other vulnerabilities.
severity: WARNING
metadata:
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
category: security
cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
owasp: A03:2017 - Sensitive Data Exposure
references:
- https://stackoverflow.com/questions/26504653/is-it-possible-to-disable-sslv3-for-all-java-applications
subcategory:
- vuln
technology:
- java
vulnerability: Insecure Transport
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
languages:
- java
patterns:
- pattern: $VALUE. ... .setProperty("jdk.tls.client.protocols", "$PATTERNS");
- metavariable-pattern:
metavariable: $PATTERNS
language: generic
patterns:
- pattern-either:
- pattern: TLS1
- pattern-regex: ^(.*TLSv1|.*SSLv.*)$
- pattern-regex: ^(.*TLSv1,.*)
Examples
disallow-old-tls-versions2.java
public class Bad {
public void bad1() {
// ruleid: disallow-old-tls-versions2
java.lang.System.setProperty("jdk.tls.client.protocols", "TLSv1.2,TLSv1.3,TLS1");
}
public void bad1() {
// ruleid: disallow-old-tls-versions2
java.lang.System.setProperty("jdk.tls.client.protocols", "TLSv1.2,TLSv1.3,SSLv3");
}
}
public class Ok {
public void bad1() {
// ok: disallow-old-tls-versions2
java.lang.System.setProperty("jdk.tls.client.protocols", "TLSv1.2,TLSv1.3");
}
public void bad1() {
// ok: disallow-old-tls-versions2
java.lang.System.setProperty("jdk.tls.client.protocols", "TLSv1.3");
}
}
Short Link: https://sg.run/Yvjy