Security Bulletin
Summary
There is a vulnerability in IBM® Java™ Runtime, Version 7 that is used by IBM Security SiteProtector System. This vulnerability, commonly referred to as “SLOTH”, was disclosed as part of the IBM Java SDK updates in January 2016.
Vulnerability Details
CVEID: CVE-2015-7575
DESCRIPTION: The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials. This vulnerability is commonly referred to as “SLOTH”.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109415 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/UI:U/C:H/I:L/A:N)
Affected Products and Versions
IBM Security SiteProtector System 3.0 and 3.1.1
Remediation/Fixes
Apply the appropriate eXPress Updates (XPUs) as identified in the SiteProtector Console Agent view:
For SiteProtector 3.0:
SiteProtector Core Component | ServicePack3_0_0_11.xpu |
Event Collector Component | RSEvntCol_WINNT_XXX_ST_3_0_0_10.xpu |
Agent Manager Component | AgentManager_WINNT_XXX_ST_3_0_0_60.xpu |
For SiteProtector 3.1.1:
SiteProtector Core Component | ServicePack3_1_1_6.xpu |
Agent Manager Component | AgentManager_WINNT_XXX_ST_3_1_1_30.xpu |
Update Server Component | UpdateServer_3_1_1_7.pkg |
Event Archiver Component | EventArchiver_3_1_1_5.pkg |
Manual Upgrader Component | MU_3_1_1_6.xpu |
Please note that the Update Server, Event Archiver and Manual Upgrader are automatically updated by default. In addition, the same versions of these components apply to both releases of SiteProtector.
Alternatively, the packages can be manually obtained from the IBM Security License Key and Download Center using the following URL:
https://ibmss.flexnetoperations.com/service/ibms/login
Workarounds and Mitigations
There are two types of SiteProtector installs - "Compatible" and "Strict". This vulnerability only applies to customers who selected the "Compatible" option (which is the default) during the installation process.
The issue can be addressed by updating the java.security files that are included on the machines where the SiteProtector components requiring IBM Java are installed. Complete details can be found in the TechNote article # 1976152 at http://www-01.ibm.com/support/docview.wss?uid=swg21976152
Get Notified about Future Security Bulletins
References
Acknowledgement
CVE-2015-7575 was reported to IBM by Karthikeyan Bhargavan at INRIA in Paris, France.
Change History
8 February 2016: Original Version Published
17 March 2016: Updated Version Published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21976042