5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
There is a vulnerability in IBM® Java™ Runtime, Version 7 that is used by IBM Security SiteProtector System. This vulnerability, commonly referred to as “SLOTH”, was disclosed as part of the IBM Java SDK updates in January 2016.
CVEID: CVE-2015-7575
DESCRIPTION: The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials. This vulnerability is commonly referred to as “SLOTH”.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109415 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/UI:U/C:H/I:L/A:N)
IBM Security SiteProtector System 3.0 and 3.1.1
Apply the appropriate eXPress Updates (XPUs) as identified in the SiteProtector Console Agent view:
For SiteProtector 3.0:
SiteProtector Core Component
|
ServicePack3_0_0_11.xpu
—|—
Event Collector Component
|
RSEvntCol_WINNT_XXX_ST_3_0_0_10.xpu
Agent Manager Component
|
AgentManager_WINNT_XXX_ST_3_0_0_60.xpu
For SiteProtector 3.1.1:
SiteProtector Core Component
|
ServicePack3_1_1_6.xpu
—|—
Agent Manager Component
|
AgentManager_WINNT_XXX_ST_3_1_1_30.xpu
Update Server Component
|
UpdateServer_3_1_1_7.pkg
Event Archiver Component
|
EventArchiver_3_1_1_5.pkg
Manual Upgrader Component
|
MU_3_1_1_6.xpu
Please note that the Update Server, Event Archiver and Manual Upgrader are automatically updated by default. In addition, the same versions of these components apply to both releases of SiteProtector.
Alternatively, the packages can be manually obtained from the IBM Security License Key and Download Center using the following URL:
<https://ibmss.flexnetoperations.com/service/ibms/login>
There are two types of SiteProtector installs - “Compatible” and “Strict”. This vulnerability only applies to customers who selected the “Compatible” option (which is the default) during the installation process.
The issue can be addressed by updating the java.security files that are included on the machines where the SiteProtector components requiring IBM Java are installed. Complete details can be found in the TechNote article # 1976152 at http://www-01.ibm.com/support/docview.wss?uid=swg21976152
CPE | Name | Operator | Version |
---|---|---|---|
ibm security siteprotector system | eq | 3.0 | |
ibm security siteprotector system | eq | 3.1.1 |
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N