Security fix for SSL/TLS vulnerability CVE-2013-0169 (also known as "Lucky 13")
A recently discovered SSL, TLS and DTLS Plaintext Recovery Attack, known as "Lucky 13" (CVE-2013-0169) will be addressed in the WebSphere DataPower SOA appliance by APAR fix IC90431.
Until such time as the APAR fix is available in a fix pack, a stream cipher (RC4) may be used to protect against this vulnerability. The protocol problem that allows the attack only affects block ciphers such as 3DES and AES. RC4 is a stream cipher supported by SSL/TLS and its use avoids this attack entirely.
To configure this in the DataPower WebGUI, enter the string RC4-SHA:RC4-MD5 into the Ciphers property in the Crypto Profile and Save. With this configuration setting, DataPower will only negotiate strong, non-export cipher suites involving RC4 - a stream cipher rather than a block cipher.