Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Security SiteProtector System (CVE-2016-0483 and CVE-2015-7575)

Summary

There are multiple vulnerabilities in IBM® Java™ Runtime, Version 7 that is used by IBM Security SiteProtector System. These issues were disclosed as part of the IBM Java SDK updates in January 2016 and includes the vulnerability commonly referred to as “SLOTH”.

Vulnerability Details

CVEID: CVE-2016-0483

DESCRIPTION: An unspecified vulnerability related to the AWT component has complete confidentiality impact, and complete availability impact.

CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109945 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2015-7575

DESCRIPTION: The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials. This vulnerability is commonly referred to as “SLOTH”.

CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109415 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/UI:U/C:H/I:L/A:N)

Affected Products and Versions

IBM Security SiteProtector System 3.0 and 3.1.1

Remediation/Fixes

Apply the appropriate eXPress Updates (XPUs) as identified in the SiteProtector Console Agent view:

For SiteProtector 3.0:

SiteProtector Core Component

|

ServicePack3_0_0_11.xpu

—|—

Event Collector Component

|

RSEvntCol_WINNT_XXX_ST_3_0_0_10.xpu

Agent Manager Component

|

AgentManager_WINNT_XXX_ST_3_0_0_60.xpu

For SiteProtector 3.1.1:

SiteProtector Core Component

|

ServicePack3_1_1_6.xpu

—|—

Agent Manager Component

|

AgentManager_WINNT_XXX_ST_3_1_1_30.xpu

Update Server Component

|

UpdateServer_3_1_1_7.pkg

Event Archiver Component

|

EventArchiver_3_1_1_5.pkg

Manual Upgrader Component

|

MU_3_1_1_6.xpu

Please note that the Update Server, Event Archiver and Manual Upgrader are automatically updated by default. In addition, the same versions of these components apply to both releases of SiteProtector.

Alternatively, the packages can be manually obtained from the IBM Security License Key and Download Center using the following URL:
<https://ibmss.flexnetoperations.com/service/ibms/login&gt;

Workarounds and Mitigations

The following mitigation applies for CVE-2015-7575.

There are two types of SiteProtector installs - “Compatible” and “Strict”. This vulnerability only applies to customers who selected the “Compatible” option (which is the default) during the installation process.

The issue can be addressed by updating the java.security files that are included on the machines where the SiteProtector components requiring IBM Java are installed. Complete details can be found in the TechNote article # 1976152 at http://www-01.ibm.com/support/docview.wss?uid=swg21976152