Security fix for SSL/TLS vulnerability CVE-2013-0169 (also known as "Lucky 13")
A recently discovered SSL, TLS and DTLS Plaintext Recovery Attack, known as "Lucky 13" (CVE-2013-0169) will be addressed in the WebSphere DataPower SOA appliance by APAR fix IC90431.
A stream cipher (RC4) may be used to protect against this vulnerability. The protocol problem that allows the attack only affects block ciphers such as 3DES and AES. RC4 is a stream cipher supported by SSL/TLS and its use avoids this attack entirely.
To configure this in the DataPower WebGUI, enter the string RC4-SHA:RC4-MD5 into the Ciphers property in the Crypto Profile and Save. With this configuration setting, DataPower will only negotiate strong, non-export cipher suites involving RC4 - a stream cipher rather than a block cipher.
This has been addressed in APAR IC90431.
"LUCKY 13" PLAINTEXT RECOVERY ATTACK AGAINST SSL/TLS WITH CBC CIPHERS (CVE-2013-0169)