Security Bulletin
Summary
There is a vulnerability in IBM® SDK Java™ Technology Edition, Versions 7R1 Service Refresh 3 Fix Pack 1 and earlier releases and Version 8 Service Refresh 1 Fix Pack 1 and earlier releases that is used by IBM® InfoSphere Streams. This vulnerability, commonly referred to as SLOTH, was disclosed as part of the IBM® Java™ SDK updates in January 2016.
Vulnerability Details
CVEID: CVE-2015-7575
DESCRIPTION: The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials. This vulnerability is commonly referred to as “SLOTH”.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109415 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/UI:U/C:H/I:L/A:N)
Affected Products and Versions
- 1.2.1.0
- 2.0.0.4 and earlier
- 3.0.0.5 and earlier
- 3.1.0.7 and earlier
- 3.2.1.4 and earlier
- 4.0.1.1 and earlier
- 4.1
Remediation/Fixes
Java technology is used for SSL/TLS in InfoSphere Streams. The "SLOTH" vulnerability in Streams can be corrected by applying the appropriate remediation or upgrade documented below.
NOTE: Fix Packs are available on IBM Fix Central.
- Version 4.1. Take one of the following actions:
- Perform the mitigation steps for Java referenced in the Workarounds and Mitigations section below.
- Upgrade to InfoSphere Streams Mod Release 4.1.1 (available on Passport Advantage).
- Version 4.0.1: Take one of the following actions:
- Perform the mitigation steps for Java referenced in the Workarounds and Mitigations section below.
- Apply 4.0.1 Fix Pack 2 (4.0.1.2) or higher.
- Version 3.2.1: Take one of the following actions:
- Perform the mitigation steps for Java referenced in the Workarounds and Mitigations section below.
- Apply 3.2.1 Fix Pack 5 (3.2.1.5) or higher.
- Version 3.1.0: Apply 3.1.0 Fix Pack 8 (3.1.0.8) or higher. If JAVA_HOME is defined see the note at the end of this section.
- Version 3.0.0: Apply 3.0 Fix Pack 6 (3.0.0.6) or higher. If JAVA_HOME is defined see the note at the end of this section.
- Versions 1.2 and 2.0: For version 1.x and 2.x IBM recommends upgrading to a fixed, supported version/release/platform of the product. Customers who cannot upgrade and need to secure their installation should open a PMR with IBM Technical Support and request assistance securing their InfoSphere Streams system against the vulnerabilities identified in this Security Bulletin.
IMPORTANT NOTE: If JAVA_HOME is set ensure it points to the install location of the upgraded IBM Developer Kit, Java. Applications compiled with JAVA_HOME set to a different location will need to be recompiled after JAVA_HOME has been changed. For more information on compiling with JAVA_HOME set see the Notes section on the page at this URL: http://www-01.ibm.com/support/knowledgecenter/SSCRJU_4.0.0/com.ibm.streams.install.doc/doc/ibminfospherestreams-install-prerequisites-java-supported-sdks.html?lang=en
Workarounds and Mitigations
Customers using Streams versions 3.2.1, 4.0.1, or 4.1 should disable the use of the MD5 hash by editing the java.security file and adding or updating the entry for the jdk.certpath.disabledAlgorithms property with "MD5" and adding or updating the entry for the jdk.tls.disabledAlgorithms property with "MD5withRSA". If the documented mitigation for the "SLOTH" vulnerability has previously been applied, the java.security file will have entries similar to:
jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024, MD5
jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768, MD5withRSA
The java.security file is located in <STREAMS_INSTALL>/java/jre/lib/security. Be certain that the line is not commented (does not begin with the "#" symbol).
Restart all domains and instances for this change to take effect. You should verify applying this configuration change does not cause any compatibility issues. Not disabling the MD5 signature hash will expose yourself to the attack described above.
IBM recommends that you review your entire environment to identify other areas where you have enabled the MD5 signature hash and take appropriate mitigation and remediation actions.
Get Notified about Future Security Bulletins
References
Change History
11 March 2016: Original version published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21977838