Security Bulletin: Vulnerability in IBM Java Runtime affect Rational Host On-Demand (CVE-2015-7575)

Summary

There is a vulnerability in IBM® Runtime Environment Java™ Technology Edition, Version 1.7SR6 that is used by IBM Rational Host On-Demand This vulnerability, commonly referred to as “SLOTH”, was disclosed as part of the IBM Java SDK updates in January 2016.

Vulnerability Details

CVEID: CVE-2015-7575**
DESCRIPTION:** The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials. This vulnerability is commonly referred to as “SLOTH”.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109415 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/UI:U/C:H/I:L/A:N)

Affected Products and Versions

Host On-Demand 11.0.14 and earlier

Remediation/Fixes

User need to upgrade to 11.0.14 Special Build-2
http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/IBM+Host+On-Demand&release=11.0.14.0&platform=All&function=all

Workarounds and Mitigations

Users of Java 7 and later (eg Using Host On Demand 11.0.9 – 11.0.14) can address the issue by updating the Server JRE /jre/lib/security/java.security file as follows (both steps are required):

· Add MD5 to the jdk.certpath.disabledAlgorithms property - e.g. jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024, MD5

· Add MD5withRSA to the jdk.tls.disabledAlgorithms property - e.g. jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768, MD5withRSA