The JDK’s TLS implementation may not check the TLS vector length as set out in the Internet Engineering Task Force Request For Comments (RFC) 5246. The fix enhances the checking for the vector length.
The JDK's TLS implementation may not check the TLS vector length as set out in the latest RFC 5246. This issue is exploitable on server deployments that use JSSE.
A Java program running on Tivoli Directory Integrator uses Java Secure Socket Extensions (JSSE) to establish the Secure Socket Layer (SSL) connection. The vulnerability could occur when the SSL connection is enabled and only solution is to upgrade the JRE.
The attack does not require local network access nor does it require authentication. but some degree of specialized knowledge and techniques are required. An exploit would not impact the confidentiality of information or the integrity of data, however availability of the system could be compromised.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79435 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
AFFECTED PRODUCTS AND VERSIONS:
TDI v6.1.1 , TDI v7.0, TDI v7.1 and TDIv7.1.1
The following IBM JREs have the fixes for this vulnerability.
TDI v6.1.1 and v7.0: Move to JRE 5.0.0 SR 15.
TDI, v7.1 and v7.1.1: Move to JRE 6.0.0 SR 12.
Contact TDI Level 2 support to upgrade to the above required JREs.
Complete CVSS Guide
On-line Calculator V2
IBM Secure Engineering Web Portal
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.