Customer runs security vulnerability software (for example IBM AppScan) against Controller. A 'BEAST' vulnerability is detected.
Browser Exploit Against SSL/TLS (a.k.a. BEAST)
CVSS Score: 6.4
Risk: It may be possible to steal or manipulate customer session and cookies, which might be used to
impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user
Causes: The web server or application server are configured in an insecure way
Fix: Change server's supported ciphersuites
Reasoning: AppScan determined that the site uses weak cipher suites by successfully creating SSL
connections using each of the weak cipher suites listed above.
[SSLv3/TLS1.0 cipher suites with CBC]
Defect (APAR PI47785) in Controller 10.2.5110.91 and some earlier versions.
Resolving The Problem
Upgrade to Controller 10.2.5110.95 (also known as 10.2.1 FP1 IF1 GA) or later.
15 June 2018