Bar Mitzvah security vulnerability CVE-2015-2808

A potential security vulnerability exists in the RC4 algorithm, which is used in Secure Socket Layer (SSL) and Transport Layer Security (TLS) protocols. A remote attacker could exploit this vulnerability to obtain sensitive information without using an active man-in-the-middle session. Use of the RC4 algorithm is therefore disabled by default in the SDK, as described in the rest of this topic. See IBM® Internet Security Systems for more information about the vulnerability.

Cipher suites that use the RC4 algorithm are disabled by default: For lists of enabled and disabled cipher suites, see Cipher suites.

The jdk.tls.disabledAlgorithms property value includes RC4 by default: The default value of this property is SSLv3, RC4. This property disables certain algorithms. For more information about this property, see Disabled and restricted cryptographic algorithms.
The jsse.enableCBCProtection property is set to true by default: This system property adds randomness to prevent Cipher-Block Chaining (CBC) attacks, thereby addressing the BEAST security vulnerability CVE-2011-3389. The RC4 algorithm was an alternative mitigation. However, because the RC4 algorithm is now disabled by default, this system property is now the only mitigation against the BEAST security vulnerability and so is enabled by default. For more information about the BEAST vulnerability, see BEAST security vulnerability CVE-2011-3389.