5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
There is a vulnerability in IBM® SDK Java™ Technology Edition, Version 8 that is used by IBM Spectrum Scale RAID/IBM GPFS Native RAID. This vulnerability, commonly referred to as “SLOTH”, was disclosed as part of the IBM Java SDK updates in January 2016.
CVEID: CVE-2015-7575**
DESCRIPTION:** The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials. This vulnerability is commonly referred to as “SLOTH”.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109415 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/UI:U/C:H/I:L/A:N)
The Elastic Storage Server versions 4.0, 3.5, 3.0 and 2.5.
The GPFS Storage Server versions 2.5 and 2.0.
For the Elastic Storage Server 4.0, obtain 4.0.1 to upgrade your system. See release note for details.
The image is at Fix Central http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%2Bdefined%2Bstorage&product=ibm/StorageSoftware/IBM+Spectrum+Scale+RAID&release=4.2.0&platform=All&function=all
For the Elastic Storage Server 3.5 thru 3.5.2, obtain 3.5.3 to upgrade your system. See release note for details.
The image is at Fix Central http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%2Bdefined%2Bstorage&product=ibm/StorageSoftware/IBM+Spectrum+Scale+RAID&release=4.1.1&platform=All&function=all
For the Elastic Storage Server 3.0 thru 3.0.5, contact IBM Service to obtain an efix for IV81398. Follow the APAR_IV81398_ESS30xGUI_README for details.
For the Elastic Storage Server 2.5 thru 2.5.5, contact IBM Service to obtain an efix for IV81398. Follow the APAR_IV81398_ESS25xJava_README for details.
For the GPFS Storage Server 2.0 thru 2.0.7, contact IBM Service to obtain an efix for IV81398. Follow the APAR_IV81398_GSS20xJava_README for details.
For the GPFS Storage Server 2.5, contact Lenovo at http://shop.lenovo.com/us/en/systems/servers/high-density/gpfs-storage/
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm spectrum scale raid | eq | 4.1.1 | |
ibm spectrum scale raid | eq | 4.2 | |
ibm elastic storage server | eq | any |
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N