Flash (Alert)
Abstract
Security fix for SSL/TLS vulnerability CVE-2013-0169 (also known as "Lucky 13")
Content
A recently discovered SSL, TLS and DTLS Plaintext Recovery Attack, known as "Lucky 13" (CVE-2013-0169) will be addressed in the WebSphere DataPower SOA appliance by APAR fix IC90431.
Until such time as the APAR fix is available in a fix pack, a stream cipher (RC4) may be used to protect against this vulnerability. The protocol problem that allows the attack only affects block ciphers such as 3DES and AES. RC4 is a stream cipher supported by SSL/TLS and its use avoids this attack entirely.
To configure this in the DataPower WebGUI, enter the string RC4-SHA:RC4-MD5 into the Ciphers property in the Crypto Profile and Save. With this configuration setting, DataPower will only negotiate strong, non-export cipher suites involving RC4 - a stream cipher rather than a block cipher.
Rate this page:
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.