IBM Support

Security Bulletin: "SLOTH" vulnerability in IBM Java SDK affects InfoSphere Streams (CVE-2015-7575)

Created by Lisa Foisy on
Published URL:
https://www.ibm.com/support/pages/node/543393
543393

Security Bulletin


Summary

There is a vulnerability in IBM® SDK Java™ Technology Edition, Versions 7R1 Service Refresh 3 Fix Pack 1 and earlier releases and Version 8 Service Refresh 1 Fix Pack 1 and earlier releases that is used by IBM® InfoSphere Streams. This vulnerability, commonly referred to as SLOTH, was disclosed as part of the IBM® Java™ SDK updates in January 2016.

Vulnerability Details

CVEID: CVE-2015-7575
DESCRIPTION:
The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials. This vulnerability is commonly referred to as “SLOTH”.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109415 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/UI:U/C:H/I:L/A:N)

Affected Products and Versions

  • 1.2.1.0
  • 2.0.0.4 and earlier
  • 3.0.0.5 and earlier
  • 3.1.0.7 and earlier
  • 3.2.1.4 and earlier
  • 4.0.1.1 and earlier
  • 4.1

Remediation/Fixes

Java technology is used for SSL/TLS in InfoSphere Streams. The "SLOTH" vulnerability in Streams can be corrected by applying the appropriate remediation or upgrade documented below.

NOTE: Fix Packs are available on IBM Fix Central.

    • Version 4.1. Take one of the following actions:
      • Perform the mitigation steps for Java referenced in the Workarounds and Mitigations section below.
      • Upgrade to InfoSphere Streams Mod Release 4.1.1 (available on Passport Advantage).
    • Version 4.0.1: Take one of the following actions:
    • Version 3.2.1: Take one of the following actions:
    • Version 3.1.0: Apply 3.1.0 Fix Pack 8 (3.1.0.8) or higher. If JAVA_HOME is defined see the note at the end of this section.
    • Version 3.0.0: Apply 3.0 Fix Pack 6 (3.0.0.6) or higher. If JAVA_HOME is defined see the note at the end of this section.
    • Versions 1.2 and 2.0: For version 1.x and 2.x IBM recommends upgrading to a fixed, supported version/release/platform of the product. Customers who cannot upgrade and need to secure their installation should open a PMR with IBM Technical Support and request assistance securing their InfoSphere Streams system against the vulnerabilities identified in this Security Bulletin.

IMPORTANT NOTE: If JAVA_HOME is set ensure it points to the install location of the upgraded IBM Developer Kit, Java. Applications compiled with JAVA_HOME set to a different location will need to be recompiled after JAVA_HOME has been changed. For more information on compiling with JAVA_HOME set see the Notes section on the page at this URL: http://www-01.ibm.com/support/knowledgecenter/SSCRJU_4.0.0/com.ibm.streams.install.doc/doc/ibminfospherestreams-install-prerequisites-java-supported-sdks.html?lang=en

Workarounds and Mitigations

Customers using Streams versions 3.2.1, 4.0.1, or 4.1 should disable the use of the MD5 hash by editing the java.security file and adding or updating the entry for the jdk.certpath.disabledAlgorithms property with "MD5" and adding or updating the entry for the jdk.tls.disabledAlgorithms property with "MD5withRSA". If the documented mitigation for the "SLOTH" vulnerability has previously been applied, the java.security file will have entries similar to:

jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024, MD5
jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768, MD5withRSA

The java.security file is located in <STREAMS_INSTALL>/java/jre/lib/security. Be certain that the line is not commented (does not begin with the "#" symbol).

Restart all domains and instances for this change to take effect. You should verify applying this configuration change does not cause any compatibility issues. Not disabling the MD5 signature hash will expose yourself to the attack described above.

IBM recommends that you review your entire environment to identify other areas where you have enabled the MD5 signature hash and take appropriate mitigation and remediation actions.

Get Notified about Future Security Bulletins

References

Off

Change History

11 March 2016: Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSCRJU","label":"IBM Streams"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Not Applicable","Platform":[{"code":"PF016","label":"Linux"}],"Version":"1.2;2.0;3.0;3.1;3.2;3.2.1;4.0;4.0.1;4.1","Edition":"All Editions","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
16 June 2018

UID

swg21977838