CVE-2015-1916

Name of the Vulnerable Software and Affected Versions IBM Java 8 versions before SR1

Description The issue allows remote attackers to cause a denial of service via unknown vectors related to SSL/TLS and the Secure Socket Extension provider. Additionally, a vulnerability in IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections, facilitating brute-force decryption of TLS/SSL traffic between vulnerable clients and servers using man-in-the-middle techniques. This is also known as the FREAK attack.

Recommendations For IBM Java 8 versions before SR1, update to a version that includes the SR1 fix to resolve the issue. As a temporary workaround, consider restricting the use of RSA temporary keys in non-export RSA key exchange ciphersuites to minimize the risk of exploitation.