SWEET 32 vulnerability
Nessus scan on Production servers has identified High severity vulnerability. "The remote host supports the use of a block cipher with 64-bit blocks in one or more cipher suites. It is, therefore, affected by a vulnerability, known as SWEET32, due to the use of weak 64-bit block ciphers. A man-in-the-middle attacker who has sufficient resources can exploit this vulnerability, via a 'birthday' attack, to detect a collision that leaks the XOR between the fixed secret and a known plaintext, allowing the disclosure of the secret text, such as secure HTTPS cookies, and possibly resulting in the hijacking of an authenticated session.
Plugin Name: SSL 64-bit Block Size Cipher Suites Supported (SWEET32)
Synopsis: The remote service supports the use of 64-bit block ciphers.
Proof-of-concepts have shown that attackers can recover authentication cookies from an HTTPS session in as little as 30 hours.
Note that the ability to send a large number of requests over the same TLS connection between the client and server is an important requirement for carrying out this attack. If the number of requests allowed for a single connection were limited, this would mitigate the vulnerability. However, Nessus has not checked for such a mitigation."
Modifying the java.security file in DevTest_Home/jre/lib/security folder as below resolved the issue.
Change jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768
to jdk.tls.disabledAlgorithms=SSLv3, RC4, DESede, DH keySize < 768
This should be read as "disable SSLv3, all RC4 ciphers, all Triple-DES ciphers and any Diffie-Hellman ciphers with a keysize of less than 768 bits."
DESede -is an alias for Triple-DES within the Sun JCE.
You could add all the weak ciphers in security file using this property below
Oracle's JDK and JRE java Cryptographic Algorithms documentation is available at https://www.java.com/en/configure_crypto.html .