Several bugs detected in IBM Java Runtime

Multiple vulnerabilities in IBM Runtime Environment Java Technology Edition v6 could enable a remote attacker to launch a denial-of-service attack.
Multiple vulnerabilities in IBM Runtime Environment Java Technology Edition v6 could enable a remote attacker to launch a denial-of-service attack.
Multiple vulnerabilities that could enable a remote attacker to launch a denial-of-service attack have been detected in the IBM Runtime Environment Java Technology Edition v6, according to an IBM Security Bulletin posted on Tuesday.

The integrated software is used by Tivoli Composite Application Manager for SOA, a platform which provides management for services, applications and middleware.

These bugs, which include the vulnerability popularly known as “SLOTH,” were reported by IBM when it updated Java SDK in January 2016. 

"The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake," the bulletin stated.

Employing man-in-the-middle techniques, a saboteur could exploit this flaw to mimic a TLS server and glean credentials, IBM wrote.

According to the security bulletin, a fix is available: IBM Tivoli Composite Application Manager for SOA v7.2.0.1.

UPDATE: This article has been updated to include a fix provided by IBM.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS