Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Sterling Connect:Direct FTP+ (CVE-2015-7575).

Summary

There is a vulnerability in IBM® Runtime Environment Java™ Technology Edition, Versions 7.0.5 and 6.0.14 that are used by IBM Sterling Connect:Direct FTP+. This vulnerability, commonly referred to as “SLOTH”, was disclosed as part of the IBM Java SDK updates in January 2016.

Vulnerability Details

CVEID: CVE-2015-7575**
DESCRIPTION:** The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials. This vulnerability is commonly referred to as “SLOTH”.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109415 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/UI:U/C:H/I:L/A:N)

Affected Products and Versions

IBM Sterling Connect:Direct FTP+ 1.3.0

Remediation/Fixes

V.R.M

| APAR|Remediation
—|—|—
1.3.0| IT14195

IT14554| For all platforms except for HP-UX on Itanium, apply 1.3.0 Fix002, available on Fix Central

For HP-UX on Itanium, apply 1.3.0 Fix003, available on Fix Central

Workarounds and Mitigations

For all platforms except for HP-UX on PA_RISC, the following mitigation is available. It is an optional alternative to applying the fix.

* Edit the {C:D FTP+ installation directory}/jre/lib/security/java.security file.
* Add MD5 to jdk.certpath.disabledAlgorithms - for example, certpath.disabledAlgorithms=MD2, RSA keySize < 1024,MD5
* Add MD5withRSA to jdk.tls.disabledAlgorithms - for example, jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768,MD5withRSA

For HP-UX on PA_RISC, there is no mitigation available. The only option is to apply the fix.