IBM3860C648964A136AB8E6FDED2DAA455719BC6220E85802D6545F2592C460583DSecurity Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects WebSphere Message Broker and IBM Integration Bus (CVE-2015-7575)
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
Summary
The MD5 “SLOTH” vulnerability on TLS 1.2 affects WebSphere Message Broker and IBM Integration Bus
Vulnerability Details
CVEID: CVE-2015-7575 DESCRIPTION: The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109415 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N)
Affected Products and Versions
IBM Integration Bus V9, V10
WebSphere Message Broker V8
Remediation/Fixes
For users of ODBC SSL using the DataDirect drivers:
You might be vulnerable to SLOTH vulnerability, if you have not applied APAR IT09602 released in August 2015. (Please refer the bulletin at
http://www.ibm.com/support/docview.wss?uid=swg21958955 for more details)
| Product | VRMF | APAR | Remediation/Fix |
|---|---|---|---|
| IBM Integration Bus | V10 | IT09602 | The APAR is available in fix pack 10.0.0.2 and above. |
| IBM Integration Bus | V9 | IT09602 | The APAR is available in fix pack 9.0.0.5 and above. |
| WebSphere Message Broker |
| V8
| IT09602 | An interim fix is available from IBM Fix Central for all platforms.
http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Message+Broker&release=All&platform=All&function=aparId&apars=IT09602
The APAR is targeted to be available in fix pack 8.0.0.7.
For unsupported versions of the product, IBM recommends upgrading to a fixed, supported version/release/platform of the product.
You should verify thst applying this fix does not cause any compatibility issues. The fix prevents the currently-practical SLOTH attack against the RSA-MD5 client authentication. IBM recommends that you avoid using ciphers which use an MD5 or SHA-1 signature hash.
The planned maintenance release dates for WebSphere Message Broker and IBM Integration Bus are available at :
http://www.ibm.com/support/docview.wss?uid=swg27006308
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| websphere message broker | eq | 8.0 | |
| ibm integration bus | eq | 10.0 | |
| ibm integration bus | eq | 9.0 |
Related
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N