Security fixes are available for IBMJSSE2 to address vulnerabilities in SSL 3.0 and TLS 1.0. These fixes cover the Browser Exploit Against SSL/TLS (BEAST) threat and a security vulnerability in an SSL socketFactory method.
BEAST security vulnerability CVE-2011-3389:
A potential security vulnerability with Secure Socket Layer (SSL) 3.0 and Transport Layer Security (TLS) 1.0 protocols is addressed in IBM SDK for Java.
IBM's Java Secure Socket Extension (IBMJSSE2) has been modified. A JVM system property can be specified on the client side software that adds sufficient randomness to the TLS 1.0 and SSL 3.0 Cipher in Cipher-Block Chaining (CBC) mode to remediate a threat like BEAST. This change appears to be acceptable within the protocol defined by the relevant TLS and SSL RFCs (standards).
For more information about BEAST, see IBM Internet Security Systems.
The following system property can be set that adds sufficient randomness to the SSLv3/TLS 1.0 Cipher in Cipher-Block Chaining (CBC) mode to remediate a threat like BEAST.
jsse.enableCBCProtection=false | true
Do not enable CBC protection. This is the default setting.
CBC protection is enabled.
SocketFactory vulnerability CVE-2011-3560:
The HttpsURLConnection class does not perform SecurityManager checks in the setSSLSocketFactory method. An untrusted Java application or applet running in a sandbox could use this flaw to bypass connection restrictions defined in the policy.
If you have Java applications or applets with a legitimate need to set a particular SSLSocketFactory, you must make the following change after applying the fix:
- Update the Java security java.policy file to include the "setFactory" permission, if it is not already there. Use java.lang.RuntimePermission("setFactory").
The fixes for the BEAST and SocketFactory vulnerabilities are available in the following IBM SDK for Java release level:
- IBM SDK for Java 7, service refresh 1
- IBM SDK for Java 6, service refresh 10
- IBM SDK for Java 5, service refresh 13, fix pack 1
- IBM SDK for Java 1.4.2, service refresh 13, fix pack 11
The IBM SDKs are available here: developerWorks: IBM developer kits