5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
There are multiple vulnerabilities in IBM® Java™ Runtime, Version 7 that is used by IBM Security SiteProtector System. These issues were disclosed as part of the IBM Java SDK updates in January 2016 and includes the vulnerability commonly referred to as “SLOTH”.
CVEID: CVE-2016-0483
DESCRIPTION: An unspecified vulnerability related to the AWT component has complete confidentiality impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109945 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2015-7575
DESCRIPTION: The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials. This vulnerability is commonly referred to as “SLOTH”.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109415 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/UI:U/C:H/I:L/A:N)
IBM Security SiteProtector System 3.0 and 3.1.1
Apply the appropriate eXPress Updates (XPUs) as identified in the SiteProtector Console Agent view:
For SiteProtector 3.0:
SiteProtector Core Component
|
ServicePack3_0_0_11.xpu
—|—
Event Collector Component
|
RSEvntCol_WINNT_XXX_ST_3_0_0_10.xpu
Agent Manager Component
|
AgentManager_WINNT_XXX_ST_3_0_0_60.xpu
For SiteProtector 3.1.1:
SiteProtector Core Component
|
ServicePack3_1_1_6.xpu
—|—
Agent Manager Component
|
AgentManager_WINNT_XXX_ST_3_1_1_30.xpu
Update Server Component
|
UpdateServer_3_1_1_7.pkg
Event Archiver Component
|
EventArchiver_3_1_1_5.pkg
Manual Upgrader Component
|
MU_3_1_1_6.xpu
Please note that the Update Server, Event Archiver and Manual Upgrader are automatically updated by default. In addition, the same versions of these components apply to both releases of SiteProtector.
Alternatively, the packages can be manually obtained from the IBM Security License Key and Download Center using the following URL:
<https://ibmss.flexnetoperations.com/service/ibms/login>
The following mitigation applies for CVE-2015-7575.
There are two types of SiteProtector installs - “Compatible” and “Strict”. This vulnerability only applies to customers who selected the “Compatible” option (which is the default) during the installation process.
The issue can be addressed by updating the java.security files that are included on the machines where the SiteProtector components requiring IBM Java are installed. Complete details can be found in the TechNote article # 1976152 at http://www-01.ibm.com/support/docview.wss?uid=swg21976152
CPE | Name | Operator | Version |
---|---|---|---|
ibm security siteprotector system | eq | 3.0 | |
ibm security siteprotector system | eq | 3.1.1 |
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C