Security Bulletin: Vulnerability in IBM Java SDK affect IBM Spectrum Scale GUI (CVE-2015-7575)

Summary

There is a vulnerability in IBM® SDK Java™ Technology Edition, Version 8 that is used by the IBM Spectrum Scale GUI. This vulnerability, commonly referred to as “SLOTH”, was disclosed as part of the IBM Java SDK updates in January 2016.

Vulnerability Details

CVEID: CVE-2015-7575 DESCRIPTION: The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials. This vulnerability is commonly referred to as “SLOTH”.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109415 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/UI:U/C:H/I:L/A:N)

Affected Products and Versions

IBM Spectrum Scale V4.2 GUI Advanced and Standard Edition for Linux

Remediation/Fixes

For V4.2.0.0 thru V4.2.0.1, obtain V4.2.0.2 from Fix Central at:

http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%2Bdefined%2Bstorage&product=ibm/StorageSoftware/IBM+Spectrum+Scale&release=4.2.0&platform=All&function=all

Workarounds and Mitigations

None