5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
There is a vulnerability in IBM® Runtime Environment Java™ Technology Edition, Version 7 that is used by TPF Toolkit. This vulnerability, commonly referred to as “SLOTH”, was disclosed as part of the IBM Java SDK updates in January 2016.
CVEID: CVE-2015-7575**
DESCRIPTION:** The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials. This vulnerability is commonly referred to as “SLOTH”.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109415 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/UI:U/C:H/I:L/A:N)
TPF Toolkit 4.0.x, and 4.2.x
Product
| VRMF|APAR|Remediation/First Fix
—|—|—|—
TPF Toolkit| 4.2.x| JR55291|
Install the latest version of IBM Installation Manager.
Apply Interim Fix 4.2.6 by using IBM Installation Manager.
Update the Java installation on your z/OS or Linux on z Systems (or both) systems that the TPF Toolkit connects to. Download the latest version of Java from http://www.ibm.com/developerworks/java/jdk/
TPF Toolkit| 4.0.x| JR55292|
Install the latest version of IBM Installation Manager.
Apply Interim Fix 4.0.9 by using IBM Installation Manager.
Update the Java installation on your z/OS or Linux on z Systems (or both) systems that the TPF Toolkit connects to. Download the latest version of Java from http://www.ibm.com/developerworks/java/jdk/
For CVE-2015-7575:
Users of Java 7 and later can address the issue by updating the /jre/lib/security/java.security file as follows (both steps are required):
Java 6 requires code changes in the JSSE component in addition to the java.security file modifications, so upgrading the JDK is the only solution.
CPE | Name | Operator | Version |
---|---|---|---|
tpf toolkit | eq | 4.0.0 | |
tpf toolkit | eq | 4.0.1 | |
tpf toolkit | eq | 4.0.2 | |
tpf toolkit | eq | 4.0.3 | |
tpf toolkit | eq | 4.0.4 | |
tpf toolkit | eq | 4.0.5 | |
tpf toolkit | eq | 4.0.6 | |
tpf toolkit | eq | 4.0.7 | |
tpf toolkit | eq | 4.0.8 | |
tpf toolkit | eq | 4.2.0 |
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N