Security vulnerability fixes: IBM Java Secure Socket Extension (IBMJSSE2)

News


Abstract

Security fixes are available for IBMJSSE2 to address vulnerabilities in SSL 3.0 and TLS 1.0. These fixes cover the Browser Exploit Against SSL/TLS (BEAST) threat and a security vulnerability in an SSL socketFactory method.

Content

BEAST security vulnerability CVE-2011-3389:

A potential security vulnerability with Secure Socket Layer (SSL) 3.0 and Transport Layer Security (TLS) 1.0 protocols is addressed in IBM SDK for Java.

IBM's Java Secure Socket Extension (IBMJSSE2) has been modified. A JVM system property can be specified on the client side software that adds sufficient randomness to the TLS 1.0 and SSL 3.0 Cipher in Cipher-Block Chaining (CBC) mode to remediate a threat like BEAST. This change appears to be acceptable within the protocol defined by the relevant TLS and SSL RFCs (standards).

For more information about BEAST, see IBM Internet Security Systems.

The following system property can be set that adds sufficient randomness to the SSLv3/TLS 1.0 Cipher in Cipher-Block Chaining (CBC) mode to remediate a threat like BEAST.

    jsse.enableCBCProtection=false | true
    jsse.enableCBCProtection=false
    Do not enable CBC protection. This is the default setting.
    jsse.enableCBCProtection=true
    CBC protection is enabled.

SocketFactory vulnerability CVE-2011-3560:

The HttpsURLConnection class does not perform SecurityManager checks in the setSSLSocketFactory method. An untrusted Java application or applet running in a sandbox could use this flaw to bypass connection restrictions defined in the policy.

If you have Java applications or applets with a legitimate need to set a particular SSLSocketFactory, you must make the following change after applying the fix:
  • Update the Java security java.policy file to include the "setFactory" permission, if it is not already there. Use java.lang.RuntimePermission("setFactory").


The fixes for the BEAST and SocketFactory vulnerabilities are available in the following IBM SDK for Java release level:
  • IBM SDK for Java 7, service refresh 1
  • IBM SDK for Java 6, service refresh 10
  • IBM SDK for Java 5, service refresh 13, fix pack 1
  • IBM SDK for Java 1.4.2, service refresh 13, fix pack 11


The IBM SDKs are available here: developerWorks: IBM developer kits

Rate this page:

(0 users)Average rating

Document information


More support for:

Runtimes for Java Technology
Security

Software version:

1.4.2, 5.0, 6.0, 7.0

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows, z/OS

Software edition:

Java SE

Reference #:

1571596

Modified date:

2013-02-15

Translate my page

Machine Translation

Content navigation