5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
There is a vulnerability in IBM® Runtime Environment Java™ Technology Edition, Versions 7.0.5 and 6.0.14 that are used by IBM Sterling Connect:Direct FTP+. This vulnerability, commonly referred to as “SLOTH”, was disclosed as part of the IBM Java SDK updates in January 2016.
CVEID: CVE-2015-7575**
DESCRIPTION:** The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials. This vulnerability is commonly referred to as “SLOTH”.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109415 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/UI:U/C:H/I:L/A:N)
IBM Sterling Connect:Direct FTP+ 1.3.0
V.R.M
| APAR|Remediation
—|—|—
1.3.0| IT14195
IT14554| For all platforms except for HP-UX on Itanium, apply 1.3.0 Fix002, available on Fix Central
For HP-UX on Itanium, apply 1.3.0 Fix003, available on Fix Central
For all platforms except for HP-UX on PA_RISC, the following mitigation is available. It is an optional alternative to applying the fix.
* Edit the {C:D FTP+ installation directory}/jre/lib/security/java.security file.
* Add MD5 to jdk.certpath.disabledAlgorithms - for example, certpath.disabledAlgorithms=MD2, RSA keySize < 1024,MD5
* Add MD5withRSA to jdk.tls.disabledAlgorithms - for example, jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768,MD5withRSA
For HP-UX on PA_RISC, there is no mitigation available. The only option is to apply the fix.
CPE | Name | Operator | Version |
---|---|---|---|
ibm sterling connect:direct ftp+ | eq | 1.3.0 |
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N