BEAST security vulnerability CVE-2011-3389
A potential security vulnerability exists in Secure Socket Layer (SSL) 3.0 and Transport Layer Security (TLS) 1.0 protocols. IBM has addressed this vulnerability in the SDK. See IBM® X-Force Exchange for more information about the vulnerability.
You can specify the following JVM system property on the client-side software. This system
property adds sufficient randomness to the TLS 1.0 and SSL 3.0 Cipher in Cipher-Block Chaining (CBC)
mode to remediate a threat like BEAST. This change appears to be acceptable within the protocol
defined by the relevant TLS and SSL RFCs (standards).
jsse.enableCBCProtection=false|true
- Use this system property to add randomness to prevent CBC attacks.
- In releases earlier than service refresh 1, the default value is
false
. - In releases from service refresh 1, the default value is
true
, because the use of RC4 algorithms, which was an alternative mitigation, is disabled by default due to security vulnerability CVE-2015-2808. For more information about CVE-2015-2808, see Bar Mitzvah security vulnerability CVE-2015-2808.
false
specifies that CBC protection is not enabled. A value oftrue
specifies that CBC protection is enabled. - In releases earlier than service refresh 1, the default value is