Multiple vulnerabilities that could enable a remote attacker to launch a denial-of-service attack have been detected in the IBM Runtime Environment Java Technology Edition v6, according to an IBM Security Bulletin posted on Tuesday.
The integrated software is used by Tivoli Composite Application Manager for SOA, a platform which provides management for services, applications and middleware.
These bugs, which include the vulnerability popularly known as “SLOTH,” were reported by IBM when it updated Java SDK in January 2016.
“The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake,” the bulletin stated.
Employing man-in-the-middle techniques, a saboteur could exploit this flaw to mimic a TLS server and glean credentials, IBM wrote.
No workarounds or mitigations have yet been provided.