Browser Exploit Against SSL/TLS (a.k.a. BEAST) vulnerability is observed. In TLS 1.0 and earlier, it is possible to predict the Initialization Vector (IV) of the block cipher encryption. This allows a man-in-the-middle attacker to guess the plaintext being encrypted. The affected products are in TLS 1.0 and earlier.
**Third Party Entry:**PSIRT-ADV0016851
DESCRIPTION:
CVSS Base score: 4.7
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Affected Product(s) | Version(s) |
---|---|
TNPM Wireline | 1.4.0 |
TNPM Wireline | 1.4.1 |
TNPM Wireline | 1.4.2 |
TNPM Wireline | 1.4.3 |
TNPM Wireline | 1.4.4 |
TNPM Wireline | 1.4.5 |
This issue can be addressed by disabling TLS below version TLSv1.2 and just keep TLSv1.2
…/IBM/WebSphere/AppServer/products/sklm/config/SKLMConfig.properties
Look for property
TransportListener.ssl.protocols = SSL_TLS
Update the property to have value TLSv1.2, as shown below:
TransportListener.ssl.protocols=TLSv1.2
This will only enable TLS version 1.2.
Save the file
Security > ‘SSL certificate and key management > SSL configurations > NodeDefaultSSLSettings > Quality of protection (QoP) settings’.
WAS GUI - Security > SSL certificate and key management, and under Related Items, click SSL configurations.
Select each SSL Configuration described below, like NodeDefaultSSLSettings - Quality of protection (QoP) settings under Additional Properties – Protocol – select desired protocol: TLSv1.2 - Apply and Save.
…/IBM/WebSphere/AppServer/profiles/KLMProfile/properties/ssl.client.props
Look for property
‘com.ibm.ssl.protocol’
Update the property to have value TLSv1.2, as shown below:
com.ibm.ssl.protocol=TLSv1.2
Save the file
None