News
Abstract
Security fixes are available for IBMJSSE2 to address vulnerabilities in SSL 3.0 and TLS 1.0. These fixes cover the Browser Exploit Against SSL/TLS (BEAST) threat and a security vulnerability in an SSL socketFactory method.
Content
BEAST security vulnerability CVE-2011-3389:
A potential security vulnerability with Secure Socket Layer (SSL) 3.0 and Transport Layer Security (TLS) 1.0 protocols is addressed in IBM SDK for Java.
IBM's Java Secure Socket Extension (IBMJSSE2) has been modified. A JVM system property can be specified on the client side software that adds sufficient randomness to the TLS 1.0 and SSL 3.0 Cipher in Cipher-Block Chaining (CBC) mode to remediate a threat like BEAST. This change appears to be acceptable within the protocol defined by the relevant TLS and SSL RFCs (standards).
For more information about BEAST, see IBM Internet Security Systems.
The following system property can be set that adds sufficient randomness to the SSLv3/TLS 1.0 Cipher in Cipher-Block Chaining (CBC) mode to remediate a threat like BEAST.
-
jsse.enableCBCProtection=false | true
-
jsse.enableCBCProtection=false
Do not enable CBC protection. This is the default setting.
-
jsse.enableCBCProtection=true
CBC protection is enabled.
SocketFactory vulnerability CVE-2011-3560:
The HttpsURLConnection class does not perform SecurityManager checks in the setSSLSocketFactory method. An untrusted Java application or applet running in a sandbox could use this flaw to bypass connection restrictions defined in the policy.
If you have Java applications or applets with a legitimate need to set a particular SSLSocketFactory, you must make the following change after applying the fix:
- Update the Java security java.policy file to include the "setFactory" permission, if it is not already there. Use java.lang.RuntimePermission("setFactory").
The fixes for the BEAST and SocketFactory vulnerabilities are available in the following IBM SDK for Java release level:
- IBM SDK for Java 7, service refresh 1
- IBM SDK for Java 6, service refresh 10
- IBM SDK for Java 5, service refresh 13, fix pack 1
- IBM SDK for Java 1.4.2, service refresh 13, fix pack 11
The IBM SDKs are available here: developerWorks: IBM developer kits
Rate this page:
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.