Network Security, Patch/Configuration Management, Vulnerability Management

Several bugs detected in IBM Java Runtime

Multiple vulnerabilities that could enable a remote attacker to launch a denial-of-service attack have been detected in the IBM Runtime Environment Java Technology Edition v6, according to an IBM Security Bulletin posted on Tuesday.

The integrated software is used by Tivoli Composite Application Manager for SOA, a platform which provides management for services, applications and middleware.

These bugs, which include the vulnerability popularly known as “SLOTH,” were reported by IBM when it updated Java SDK in January 2016. 

"The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake," the bulletin stated.

Employing man-in-the-middle techniques, a saboteur could exploit this flaw to mimic a TLS server and glean credentials, IBM wrote.

According to the security bulletin, a fix is available: IBM Tivoli Composite Application Manager for SOA v7.2.0.1.

UPDATE: This article has been updated to include a fix provided by IBM.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.