List of vulnerabilities for DevTest services
search cancel

List of vulnerabilities for DevTest services


Article ID: 111791


Updated On:


CA Application Test Service Virtualization


As part of security verification, devtest instances were scanned for any OS vulnerabilities and raised the following issues related to DevTest services.

#1. Java Deserialization Vulnerability Detected tcp over ssl 
#2. Java SSL KeyStore Password Disclosure Vulnerability
#3. Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32) tcp over ssl CVE-2016-2183 
#4. SSL/TLS Server supports TLSv1.0 tcp over ssl 


All supported DevTest environments




The below settings should resolve these 4 concerns that are listed above.  

1) In all of the  VMOptions files (e.g., Registry.vmoptions, Simulator.vmoptions, etc.) add:
-Dhttps.protocols=TLSv1.2  or -Dhttps.protocols=TLSv1.2,TLSv1.1

This will "disable" TLSv1, SSLv3 and, optionally, TLSv1.1, which have known vulnerabilities.  TLSv1.2 is the strongest SSL protocol currently supported (TLSv1.3 was only just released by IETF and we do not provide this yet).  

2) In or, add:


1.The "RSA+EXPORT" ciphers are supported;
2.The size of the RSA public key in certificate is not stronger than 1024;
3.The temporary RSA key size is less than 1024;
4.The temporary RSA key is stable(used multiple times);

Besides adding a list of accepted cipher suites to, the file can be updated, too. There may be two files they need to touch: one's in DevTestHome\jre\lib\security\ and one's in JAVA_HOME/jre/lib/security. Once both those files are found, apply these changes: 

If you want to set which TLS will be used, you can do it in the same file via property jdk.tls.client.protocols. 

Let’s say, we want to use only TLSv1.2 and only A (strong) grade cipher suites. 

* jdk.tls.client.protocols=TLSv1.2 
* jdk.tls.disabledAlgorithms=TLSv1, MD5, SSLv3, DSA, DESede, DES, RSA keySize < 2048 

Note to disabled algorithms: DESede and DES are disabled to disable 3DES. RSA keySize <2048, this will disable all RSA with 2048 and less bits. 


Additional Information

We are limited to what ciphers the JVM supports, For more information on how to configure the security of the Oracle JDK and JRE see

The following knowledge base article discusses the 'lisa.server.https.cipher.suites' property:

DevTest Documentation can be found at: