IBME410710A81FC685FE45ADC2C5389D76BEA00C26109AA8757AC86027F3C12F1A8Security Bulletin: Vulnerability in IBM Java SDK affect IBM Spectrum Scale RAID/IBM GPFS Native RAID (CVE-2015-7575)
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
Summary
There is a vulnerability in IBM® SDK Java™ Technology Edition, Version 8 that is used by IBM Spectrum Scale RAID/IBM GPFS Native RAID. This vulnerability, commonly referred to as “SLOTH”, was disclosed as part of the IBM Java SDK updates in January 2016.
Vulnerability Details
CVEID: CVE-2015-7575**
DESCRIPTION:** The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials. This vulnerability is commonly referred to as “SLOTH”.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109415 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/UI:U/C:H/I:L/A:N)
Affected Products and Versions
The Elastic Storage Server versions 4.0, 3.5, 3.0 and 2.5.
The GPFS Storage Server versions 2.5 and 2.0.
Remediation/Fixes
For the Elastic Storage Server 4.0, obtain 4.0.1 to upgrade your system. See release note for details.
The image is at Fix Central http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%2Bdefined%2Bstorage&product=ibm/StorageSoftware/IBM+Spectrum+Scale+RAID&release=4.2.0&platform=All&function=all
For the Elastic Storage Server 3.5 thru 3.5.2, obtain 3.5.3 to upgrade your system. See release note for details.
The image is at Fix Central http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%2Bdefined%2Bstorage&product=ibm/StorageSoftware/IBM+Spectrum+Scale+RAID&release=4.1.1&platform=All&function=all
For the Elastic Storage Server 3.0 thru 3.0.5, contact IBM Service to obtain an efix for IV81398. Follow the APAR_IV81398_ESS30xGUI_README for details.
For the Elastic Storage Server 2.5 thru 2.5.5, contact IBM Service to obtain an efix for IV81398. Follow the APAR_IV81398_ESS25xJava_README for details.
For the GPFS Storage Server 2.0 thru 2.0.7, contact IBM Service to obtain an efix for IV81398. Follow the APAR_IV81398_GSS20xJava_README for details.
For the GPFS Storage Server 2.5, contact Lenovo at http://shop.lenovo.com/us/en/systems/servers/high-density/gpfs-storage/
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm spectrum scale raid | eq | 4.1.1 | |
| ibm spectrum scale raid | eq | 4.2 | |
| ibm elastic storage server | eq | any |
Related
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N