Security Bulletin: Potential security exposure with IBM WebSphere DataPower SOA Appliance (CVE-2013-0169 also known as "Lucky 13")

Flash (Alert)


Abstract

Security fix for SSL/TLS vulnerability CVE-2013-0169 (also known as "Lucky 13")

Content

A recently discovered SSL, TLS and DTLS Plaintext Recovery Attack, known as "Lucky 13" (CVE-2013-0169) will be addressed in the WebSphere DataPower SOA appliance by APAR fix IC90431.

A stream cipher (RC4) may be used to protect against this vulnerability. The protocol problem that allows the attack only affects block ciphers such as 3DES and AES. RC4 is a stream cipher supported by SSL/TLS and its use avoids this attack entirely.

To configure this in the DataPower WebGUI, enter the string RC4-SHA:RC4-MD5 into the Ciphers property in the Crypto Profile and Save. With this configuration setting, DataPower will only negotiate strong, non-export cipher suites involving RC4 - a stream cipher rather than a block cipher.

This has been addressed in APAR IC90431.
"LUCKY 13" PLAINTEXT RECOVERY ATTACK AGAINST SSL/TLS WITH CBC CIPHERS (CVE-2013-0169)

http://www.ibm.com/support/docview.wss?uid=swg1IC90431

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

WebSphere DataPower SOA Appliances
General

Software version:

3.8.2, 4.0.1, 4.0.2, 5.0.0

Operating system(s):

Firmware

Reference #:

1626523

Modified date:

2013-03-08

Translate my page

Machine Translation

Content navigation