A recent Java update to Java 8 build 131 changed what Java would accept as a “signed” JAR app. Specifically, any JAR signed with an MD5 hash will no longer be considered trusted, as the MD5 hash is now considered to be weak.
This change results in applications refusing to run with an error message like:
preloader: Delivering: ErrorEvent[url=https://XXXXX label=attempted to open sandboxed jar https://XXXXX/.jar as a Trusted-Library cause=attempted to open sandboxed jar https://XXXXX/.jar as a Trusted-Library
This occurs when the site delivering the applet is signing it with an MD5 hash. I’ve seen reports of the PulseSecure PCS and Cisco ASA doing this with the HOBsoft HOBlink Java RDP client, meaning that users are unable to securely access systems behind these devices.
PulseSecure have a workaround for their PCS –https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40580.
Cisco do not currently have a solution.
The simplest workarounds are:
a) downgrade to an earlier release of Java, or
b) re-enable MD5 hash as an acceptable cipher.
Here’s how to do the latter on Windows and macOS (OS X). It involves editing the “java.security” config file which the Java Virtual Machine uses.
Windows (tested on Windows 10)
You will need local administrator access for this.
Close browsers and any Java apps
Open CMD as Administrator
cd "C:\Program Files (x86)\Java\jre1.8.0_131\lib\security" notepad java.security
(The path may be C:\Program Files\Java\jre1.8.0_131\lib\security if you run the 64-bit Java)
Current Line:
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
Change this to:
jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024
(i.e. remove the “MD5,”)
Save the file
macOS Sierra (Mac OSX)
cd /Library/Internet\ Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security sudo vi java.security
Enter your password at the prompt so that you can edit the protected file.
Type “/jdk.jar.disabledAlg” to find the relevant line.
Current Line:
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
Change this to:
jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024
(i.e. remove the “MD5,” – use the cursor keys to move to the “MD5,” and press “x” to delete each character)
Save the file by holding down SHIFT and pressing “Z” twice.
Caveat: This workaround is disabling a security measure within Java, so should be considered a risk. However, the risk is only the same as the previous version of Java, and I would assume vendors will eventually update their systems so that they sign Java applets in a secure fashion.
This works with later versions of Java as well. I’ve tried it up to Java 8 Build 161. You do have to repeat the change after each upgrade though as it restores the MD5 text.