Several bugs detected in IBM Java Runtime
Multiple vulnerabilities in IBM Runtime Environment Java Technology Edition v6 could enable a remote attacker to launch a denial-of-service attack.
The integrated software is used by Tivoli Composite Application Manager for SOA, a platform which provides management for services, applications and middleware.
These bugs, which include the vulnerability popularly known as “SLOTH,” were reported by IBM when it updated Java SDK in January 2016.
"The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake," the bulletin stated.
Employing man-in-the-middle techniques, a saboteur could exploit this flaw to mimic a TLS server and glean credentials, IBM wrote.
According to the security bulletin, a fix is available: IBM Tivoli Composite Application Manager for SOA v220.127.116.11.
UPDATE: This article has been updated to include a fix provided by IBM.