BEAST security vulnerability CVE-2011-3389

A potential security vulnerability exists in Secure Socket Layer (SSL) 3.0 and Transport Layer Security (TLS) 1.0 protocols. IBM has addressed this vulnerability in the SDK. See IBM® X-Force Exchange for more information about the vulnerability.

You can specify the following JVM system property on the client-side software. This system property adds sufficient randomness to the TLS 1.0 and SSL 3.0 Cipher in Cipher-Block Chaining (CBC) mode to remediate a threat like BEAST. This change appears to be acceptable within the protocol defined by the relevant TLS and SSL RFCs (standards).
jsse.enableCBCProtection=false|true
Use this system property to add randomness to prevent CBC attacks.
  • In releases earlier than service refresh 1, the default value is false.
  • Start of changes for service refresh 1In releases from service refresh 1, the default value is true, because the use of RC4 algorithms, which was an alternative mitigation, is disabled by default due to security vulnerability CVE-2015-2808. For more information about CVE-2015-2808, see Bar Mitzvah security vulnerability CVE-2015-2808.End of changes for service refresh 1
A value of false specifies that CBC protection is not enabled. A value of true specifies that CBC protection is enabled.
This vulnerability is addressed in this release.