For the vulnerabilty see
Mozilla wiki has a page with recommendations for ciphersuites:
How would I apply those or similar recommendations in the Java context (SSLContext, provider configuration, Tomcat connectors etc.)?
From Java 7 onwards cipher suites can be excluded from use via a security policy file called that’s located under Java Runtime Environment in the /lib/security directory.
The policy file defines the jdk.tls.disabledAlgorithms property to control TLS cipher selection. There is also a complementary property jdk.certpath.disabledAlgorithms to control algorithms encountered in SSL certificates. You can find the documentation for this property on the Oracle website: JSSE Reference Guide
By default, as of Java 7 the following policy applies: jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048 This means: no MD5, no SHA1, no DSA. RSA is allowed only if the key is at least 2048 bits long. You can use this property to further tailor a site deployment to specific needs. All the cipher suites enabled by default in Java are found here under section Ciphers (unless the default SunJSSE crypto provider has been explicitly overridden and is not used).
As you can see all EXPORT cipher suites are disabled by default, so there is no need to configure something for the FREAK attack.
About POODLE: You have to think about this both in java 7 and 8. Because the SSLv3 protocol has only been disabled by default from JDK 8u31 (see section Protocols here).