Lucene search

K
ibmIBM3F999F2698196B709133A31BFC040FECB99D04939110D66AF4407381FB44FD43
HistoryApr 26, 2021 - 9:17 p.m.

Security Bulletin: Vulnerability in IBM Java SDK affects IBM License Metric Tool v7.5 & v7.2.2 and IBM Tivoli Asset Discovery for Distributed (CVE-2015-7575)

2021-04-2621:17:25
www.ibm.com
11

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

Summary

There is a vulnerability in IBM® SDK Java™ Technology Edition, Version 5 that is used by IBM License Metric Tool v7.5 & v7.2.2 and IBM Tivoli Asset Discovery for Distributed. This vulnerability, commonly referred to as “SLOTH”, was disclosed as part of the IBM Java SDK updates in January 2016.

Vulnerability Details

CVEID: CVE-2015-7575 DESCRIPTION: The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials. This vulnerability is commonly referred to as “SLOTH”. CVSS Base Score: 7.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109415 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/UI:U/C:H/I:L/A:N

Affected Products and Versions

IBM License Metric Tool v7.5 & v7.2.2
IBM Tivoli Asset Discovery for Distributed v7.5 & v7.2.2

Remediation/Fixes

Apply the following fix to remove the vulnerability (the procedure is the same for both products and both versions):

  • Download the script attached to this technote (see at the end of the page) to the machine hosting ILMT/TAD4D server.
  • Log in to ILMT/TAD4D server machine as the system administrator or a user with WebSphere administrative privileges, depending on your setup: this procedure requires running administrative commands and restarting the server.
  • Run the appropriate command, depending on your system type (Unix/Windows):

<TIP_profile>/bin/wsadmin.sh -f ILMT_TAD4D_SLOTH_fix.jacl -connType NONE <server_installation_path>
<TIP_profile>\bin\wsadmin.bat -f ILMT_TAD4D_SLOTH_fix.jacl -connType NONE “<server_installation_path>”
Where <TIP_profile> is the path to TIP component of server (by default: /opt/IBM/TIP or C:\Program Files\IBM\TIP) and <server_installation_path> is the installation path of the server (by default: /opt/IBM/ILMT, /opt/IBM/TAD4D, C:\Program Files\IBM\LMT or C:\Program Files\TAD4D).

  • Restart ILMT/TAD4D server.

Workarounds and Mitigations

For version 7.2.2:

  1. Login to WebUI as administrator
  2. On the task panel to the left expand Security item and clickSSL certificate and key management.
  3. In the Related Items group in the main panel clickSSL configurations.
  4. For each of the following 3 items (ILMTsecure, ILMTsecure_with_client_auth and NodeDefaultSSLSettings):
  • Click item on the list
  • In the Additional Properties group click** Quality of protection (QoP) settings**.
  • In Cipher suites area, onSelected ciphersgroup select all items containing string “MD5” (you can Control-click to select multiple items) and click**<< Remove** button.
  • Click OK button.
  • Click Save inMessages pane.
  • Server restart is not required.

For version 7.5:

  1. Login to WebUI as administrator.
  2. On the task panel to the left expand Settingsitem and click WebSphere Administrative Console.
  3. Click Launch WebSphere administrative console button in the main panel.
  4. Login to WebSphere console.
  5. Proceed with instructions provided for v7.2.2, starting from Step 2.

Get Notified about Future Security Bulletins

Subscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html&gt;) to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

Added link for CVE number.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

ILMT_TAD4D_SLOTH_fix.jaclILMT_TAD4D_SLOTH_fix.jacl

[{“Product”:{“code”:“SS8JFY”,“label”:“IBM License Metric Tool”},“Business Unit”:{“code”:“BU053”,“label”:“Cloud & Data Platform”},“Component”:“–”,“Platform”:[{“code”:“PF002”,“label”:“AIX”},{“code”:“PF010”,“label”:“HP-UX”},{“code”:“PF016”,“label”:“Linux”},{“code”:“PF027”,“label”:“Solaris”},{“code”:“PF033”,“label”:“Windows”}],“Version”:“7.2.2;7.5”,“Edition”:“”,“Line of Business”:{“code”:“LOB45”,“label”:“Automation”}},{“Product”:{“code”:“SSHT5T”,“label”:“Tivoli Asset Discovery for Distributed”},“Business Unit”:{“code”:“BU058”,“label”:“IBM Infrastructure w/TPS”},“Component”:" “,“Platform”:[{“code”:“PF002”,“label”:“AIX”},{“code”:“PF033”,“label”:“Windows”},{“code”:“PF010”,“label”:“HP-UX”},{“code”:“PF016”,“label”:“Linux”},{“code”:“PF027”,“label”:“Solaris”}],“Version”:“7.2.2;7.5”,“Edition”:”",“Line of Business”:{“code”:“LOB26”,“label”:“Storage”}}]

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N