There is a vulnerability in IBM® SDK Java™ Technology Edition Version 6 that is used by IBM Workload Deployer. The issue was disclosed as part of the IBM Java SDK updates in January 2016 and this vulnerability is commonly referred to as “SLOTH”.
CVEID: CVE-2015-7575**
DESCRIPTION:** The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials. This vulnerability is commonly referred to as “SLOTH”.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109415 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/UI:U/C:H/I:L/A:N)
IBM Workload Deployer version 3.1 and later
The solution is to apply the following IBM Workload Deployer fix:
Upgrade the IBM Workload Deployer to the following fix level:
Product
|
VRMF
|
Remediation/First Fix
—|—|—
IBM Workload Deployer System| Release V3.1.0.7| V3.1.0.7 Interim fix10,
None