IBM Support

Security Bulletin: TADDM uses weak SSL certificates (CVE-2012-5770)

Flash (Alert)


IBM Tivoli Application Dependency Discovery Manager SSL certificate uses weak MD5 hash algorithm



TADDM uses weak certificates for SSL communication what can lead to man in the middle attack. The attacker must have access to traffic between TADDM server and its client (GUI or API) to be able to hijack and break the certificate. If more powerful hash algorithm is used the certificate is much more difficult to break.

CVEID: CVE-2012-5770
CVSS Base Score: 4.3
CVSS Temporal Score: See for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

TADDM through


Fix* VRMF APAR How to acquire fix
7.2.1-TIV-ITADDM-FP0004 7.2.1.X IV32391 Download from fix central
None 7.2..0.0 None Upgrade to or work around.

Each customer should generate their own security certificates that would uniquely identify the customer. The steps to do that are listed in following section.

The certificates can be generated manually issuing following commands:

<taddm_dist_dir>/external/<jdk-for-platform>/bin/keytool -delete -alias collation -keystore <taddm_dist_dir>/etc/serverkeys -storepass <ssl-password>

<taddm_dist_dir>external/<jdk-for-platform>/bin/keytool -genkey -alias collation -keystore <taddm_dist_dir>/etc/serverkeys -validity 3650 -keyAlg RSA -sigalg SHA256WithRSA -keypass <ssl-password> -storepass <ssl-password> -dname "CN=<TADDM_SERVER_FQDN>, OU=Engineering, O=IBM, L=Palo Alto, S=California, C=US"

<taddm_dist_dir>external/<jdk-for-platform>/bin/keytool -export -alias collation -noprompt -keystore <taddm_dist_dir>/etc/serverkeys -keypass <ssl-password> -storepass <ssl-password> -file <taddm_dist_dir>/cert.tmp

<taddm_dist_dir>external/<jdk-for-platform>/bin/keytool -delete -alias collation -noprompt -keystore <taddm_dist_dir>/etc/jssecacerts.cert -storepass <ssl-password>

<taddm_dist_dir>external/<jdk-for-platform>/bin/keytool -import -alias collation -noprompt -keystore <taddm_dist_dir>/etc/jssecacerts.cert -keypass <ssl-password> -storepass <ssl-password> -file <taddm_dist_dir>/cert.tmp


<taddm_dist_dir> - the "dist" dir where taddm is installed
<jdk-for-platform> - jdk dir dedicated for Customer's platform
<ssl-password> - value of com.collation.sslpassphrase
<TADDM_SERVER_FQDN> - taddm server fqdn

NOTE: please backup the existing files before:


If possible access to TADDM server should be restricted to certain selected machines by using e.g. by using iptables. This way the potential attacker must hijack machine allowed to access to conduct MiM attack.

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog


1 March 2013: Original Copy Published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document information

More support for: Tivoli Application Dependency Discovery Manager

Software version: 7.2, 7.2.1

Operating system(s): AIX, Linux, Solaris, Windows

Reference #: 1626029

Modified date: 05 March 2013

Translate this page: