Java Security Resource Center

What's New

2020-10-20

• October 2020 Critical Patch Update is now available
• JDK 15 is now available!
• Visit the Java Cryptographic Roadmap
• Advanced Management Console

• Summary video of security changes between Java 7 and 8.
• New Secure Coding Guidelines
• Java 8 Security Enhancements
• Manage multiple versions on client systems

Security for developers

Developers creating secure applications with Java should familiarize themselves with the following resources:

• See the Java 8 Security Highlights for a summary of security changes between Java 7 and Java 8.
• Integrate JDK 8's new Type Annotations into your program to identify, prevent, and help fix errors:
  • View an introductory video about the role of Type Annotations: Enhanced Metadata - Annotations and Access to Parameter Names.
  • Read an article about Type Annotations in Java 8: Tools and Opportunities.
  • Download and start using the Checker Framework.
• Secure Coding Guidelines – learn defensive coding strategies to properly mitigate weaknesses in software and prevent vulnerabilities.
  • Oracle Secure Coding Guidelines - Updated for Java 8
• Security enhancements in JDK 8 include many new cryptographic algorithms, improved randomization, and protocol updates.
• For Applet & Web Start applications, view the RIA security checklist and understand the expanding role of code signatures for authenticating your identity to end-users.
  • 7u51 provides an Exception Site List for already-shipped applications that cannot be updated per the RIA security checklist.
• Java SE Security Overview — lists APIs, specifications, and developer-related secure deployment information (such as code signing & timestamping).
• Names of cryptographic algorithms available within the Java Cryptographic Architecture.
• For a better understanding of Java security or to get involved in the community, look at the OpenJDK Security Group.
• For other periodic information, please access the Oracle Java Product Management blog and subscribe via RSS readers.

Advanced Management Console

The Advanced Management Console helps system administators manage old Java versions by which applications need which older Java version. The Advanced Management Console decreases the attack surface of those older versions by limiting their exposure and maintaining compatibility with known-safe applications.

Security for System Administrators

System Administrators are responsible for running Java applications in a secure manner, following principle of least privilege, and staying up to date with Java’s secure baseline (either for standard Java SE or the Server JRE).

• Apply the Critical Patch of Java 8u31 or 7u75 to disable SSLv3 POODLE by default, or disable SSLv3 in older versions.
• Evaluate the Advanced Management Console to secure needed older versions by tracking usage, decreasing the attack surface, and maintaining compatibility.
• See the Java 8 Security Highlights for a summary of security changes between Java 7 and Java 8.
• Control TLS compatibility on servers and clients to choose the most secure/compatible combinations.
• Security enhancements in JDK 8 include many new cryptographic algorithms, improved randomization, and protocol updates.
• Stay up to date:
  • Receive email notification of Critical Patch Updates
  • Critical Patch Update general information page
• If required, manage multiple Java versions on client systems through static installations and use Deployment Rule Sets for old-version compatibility.
• Whitelist Applet & WebStart applications across managed computers through Deployment Rule Sets (full documentation).
• Consider using the Server JRE for server systems, such as application servers or other long-running back-end processes. The Server JRE is the same as the regular JRE except that the Server JRE does not contain the web-browser plugins.
  • Consider upgrading to Unlimited Strength Cryptography for sensitive information.
• Use trusted timestamping when signing and verifying signed JAR files to prevent your artifacts from expiring early.
• See properties that can be configured within Java installations.
• Java SE Security Overview – lists APIs, specifications, and developer-related secure deployment information (such as code signing & timestamping).

Security for END Users

End Users running Java on their computers only need a few steps to verify and understand Java security on their devices:

• Use the Exception Site List to run specific RIAs, while they are being updated to meet newer security requirements.
• Always use the latest version of Java on your computer.
  • Java will periodically prompt you to update when it detects that there is a new version.
  • Remove old versions of Java from your computer.
• Only download Java from the following websites:
  • Java.com (most users).
  • Advanced users may download from the Oracle Technology Network.
• If needed, disconnect Java from your web browser.
• What other actions can I take to increase the security of Java?

Security for Security Professionals

Security Professionals performing system auditing, threat modeling, architecture, or code reviews of Java applications should familiarize themselves with Java’s security architecture and API documentation.

• Evaluate the Advanced Management Console to secure needed older versions by tracking usage, decreasing the attack surface, and maintaining compatibility.
• Ensure that all systems are up to date with the latest security patches.
• How to check if you have SSLv3 enabled in Java SE (and how to disable it).
• Java SE Security Overview – lists APIs, specifications, and developer-related secure deployment information (such as code signing & timestamping).
• Secure Coding Guidelines – learn defensive coding strategies to properly mitigate weaknesses in software and prevent vulnerabilities.
  • Oracle Secure Coding Guidelines
• Security Specifications:
  • Names of cryptographic algorithms available within the Java Cryptographic Architecture.
  • Java Cryptographic Architecture specification
  • Sandbox Specification
• Verify that all signed code is properly timestamped to prevent early expiration.