5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
There is a vulnerability in IBM® SDK Java™ Technology Edition, Version 5 that is used by IBM License Metric Tool v7.5 & v7.2.2 and IBM Tivoli Asset Discovery for Distributed. This vulnerability, commonly referred to as “SLOTH”, was disclosed as part of the IBM Java SDK updates in January 2016.
CVEID: CVE-2015-7575 DESCRIPTION: The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials. This vulnerability is commonly referred to as “SLOTH”. CVSS Base Score: 7.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109415 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/UI:U/C:H/I:L/A:N
IBM License Metric Tool v7.5 & v7.2.2
IBM Tivoli Asset Discovery for Distributed v7.5 & v7.2.2
Apply the following fix to remove the vulnerability (the procedure is the same for both products and both versions):
<TIP_profile>/bin/wsadmin.sh -f ILMT_TAD4D_SLOTH_fix.jacl -connType NONE <server_installation_path>
<TIP_profile>\bin\wsadmin.bat -f ILMT_TAD4D_SLOTH_fix.jacl -connType NONE “<server_installation_path>”
Where <TIP_profile> is the path to TIP component of server (by default: /opt/IBM/TIP or C:\Program Files\IBM\TIP) and <server_installation_path> is the installation path of the server (by default: /opt/IBM/ILMT, /opt/IBM/TAD4D, C:\Program Files\IBM\LMT or C:\Program Files\TAD4D).
For version 7.2.2:
For version 7.5:
Subscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.
Complete CVSS v2 Guide
On-line Calculator v2
Off
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Added link for CVE number.
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
ILMT_TAD4D_SLOTH_fix.jacl
[{“Product”:{“code”:“SS8JFY”,“label”:“IBM License Metric Tool”},“Business Unit”:{“code”:“BU053”,“label”:“Cloud & Data Platform”},“Component”:“–”,“Platform”:[{“code”:“PF002”,“label”:“AIX”},{“code”:“PF010”,“label”:“HP-UX”},{“code”:“PF016”,“label”:“Linux”},{“code”:“PF027”,“label”:“Solaris”},{“code”:“PF033”,“label”:“Windows”}],“Version”:“7.2.2;7.5”,“Edition”:“”,“Line of Business”:{“code”:“LOB45”,“label”:“Automation”}},{“Product”:{“code”:“SSHT5T”,“label”:“Tivoli Asset Discovery for Distributed”},“Business Unit”:{“code”:“BU058”,“label”:“IBM Infrastructure w/TPS”},“Component”:" “,“Platform”:[{“code”:“PF002”,“label”:“AIX”},{“code”:“PF033”,“label”:“Windows”},{“code”:“PF010”,“label”:“HP-UX”},{“code”:“PF016”,“label”:“Linux”},{“code”:“PF027”,“label”:“Solaris”}],“Version”:“7.2.2;7.5”,“Edition”:”",“Line of Business”:{“code”:“LOB26”,“label”:“Storage”}}]
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N