There is a vulnerability in IBM® Runtime Environment Java™ Technology Edition, Version 6 Service Refresh 16 Fix Pack 5 and earlier releases that is used by ITNCM. This vulnerability, commonly referred to as “SLOTH”, was disclosed as part of the IBM Java SDK updates in January 2016.
CVEID: CVE-2015-7575
DESCRIPTION: The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials. This vulnerability is commonly referred to as “SLOTH”.
CVSS Base Score: 7.1
CVSS Temporal Score:See <https://exchange.xforce.ibmcloud.com/vulnerabilities/109415> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/UI:U/C:H/I:L/A:N)
Product
| Java Version
—|—
ITNCM 6.3.0.6 IF003 and earlier. | IBM® Runtime Environment Java™ Technology Edition, Version 6 Service Refresh 16 Fix Pack 5 and earlier releases
ITNCM 6.4.1.3 IF001 and earlier. | IBM® Runtime Environment Java™ Technology Edition, Version 6 Service Refresh 16 Fix Pack 5 and earlier releases
ITNCM 6.4.2.0. | IBM® Runtime Environment Java™ Technology Edition, Version 7, please see Workarounds and Mitigations.
Product
| VRMF | Remediation/First Fix
—|—|—
ITNCM | 6.4.1.3 | 6.4.1.3-TIV-ITNCM-IF002
http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Netcool+Configuration+Manager&fixids=6.4.1.3-TIV-ITNCM-IF002&source=SAR
ITNCM | 6.3.0.6 | 6.3.0.6-TIV-ITNCM-IF005 http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Netcool+Configuration+Manager&fixids=6.3.0.6-TIV-ITNCM-IF005&source=SAR
Users of Java 7 and later can address the issue by updating the /jre/lib/security/java.security file as follows (both steps are required):
Add MD5 to the jdk.certpath.disabledAlgorithms property - e.g. jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024, MD5
Add MD5withRSA to the jdk.tls.disabledAlgorithms property - e.g. jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768, MD5withRSA
Java 6 requires code changes in the JSSE component in addition to the java.security file modifications, so upgrading the JDK is the only solution.