The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Mozilla NSS, OpenSSL, Oracle Java: MD5 allowed in TLS 1.2

Synthesis of the vulnerability 

An attacker can create a MD5 collision in a TLS 1.2 session of Mozilla NSS, OpenSSL or Oracle Java, in order to capture data belonging to this session.
Impacted software: Blue Coat CAS, ProxySG par Blue Coat, SGOS by Blue Coat, Debian, Fedora, AIX, DB2 UDB, Domino by IBM, Notes by IBM, QRadar SIEM, SPSS Modeler, Tivoli Storage Manager, WebSphere AS Traditional, WebSphere MQ, JAXP, Firefox, NSS, Thunderbird, SnapManager, Java OpenJDK, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Java Oracle, RHEL, SUSE Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***, Ubuntu.
Severity of this computer vulnerability: 1/4.
Creation date: 28/12/2015.
Revision date: 08/01/2016.
Références of this announce: 000008896, 1974958, 1975290, 1975424, 1976113, 1976148, 1976200, 1976262, 1976362, 1976363, 1977405, 1977517, 1977518, 1977523, 9010065, cpujan2016, cpuoct2017, CVE-2015-7575, DSA-3436-1, DSA-3457-1, DSA-3465-1, DSA-3491-1, DSA-3688-1, FEDORA-2016-4aeba0f53d, MFSA-2015-150, NTAP-20160225-0001, NTAP20160225-001, openSUSE-SU-2015:2405-1, openSUSE-SU-2016:0007-1, openSUSE-SU-2016:0161-1, openSUSE-SU-2016:0162-1, openSUSE-SU-2016:0263-1, openSUSE-SU-2016:0268-1, openSUSE-SU-2016:0270-1, openSUSE-SU-2016:0272-1, openSUSE-SU-2016:0279-1, openSUSE-SU-2016:0307-1, openSUSE-SU-2016:0308-1, openSUSE-SU-2016:0488-1, RHSA-2016:0007-01, RHSA-2016:0008-01, RHSA-2016:0049-01, RHSA-2016:0050-01, RHSA-2016:0053-01, RHSA-2016:0054-01, RHSA-2016:0055-01, RHSA-2016:0056-01, RHSA-2016:0098-01, RHSA-2016:0099-01, RHSA-2016:0100-01, RHSA-2016:0101-01, SA108, SLOTH, SUSE-SU-2016:0256-1, SUSE-SU-2016:0265-1, SUSE-SU-2016:0269-1, SUSE-SU-2016:0390-1, SUSE-SU-2016:0399-1, SUSE-SU-2016:0401-1, SUSE-SU-2016:0428-1, SUSE-SU-2016:0431-1, SUSE-SU-2016:0433-1, SUSE-SU-2016:0770-1, SUSE-SU-2016:0776-1, USN-2863-1, USN-2864-1, USN-2866-1, USN-2884-1, USN-2904-1, VIGILANCE-VUL-18586.

Description of the vulnerability 

The Mozilla NSS, OpenSSL and Oracle Java products implement TLS version 1.2.

The MD5 hashing algorithm is weak. However, it is accepted in signatures of TLS 1.2 ServerKeyExchange messages.

An attacker can therefore create a MD5 collision in a TLS 1.2 session of Mozilla NSS, OpenSSL or Oracle Java, in order to capture data belonging to this session.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This security alert impacts software or systems such as Blue Coat CAS, ProxySG par Blue Coat, SGOS by Blue Coat, Debian, Fedora, AIX, DB2 UDB, Domino by IBM, Notes by IBM, QRadar SIEM, SPSS Modeler, Tivoli Storage Manager, WebSphere AS Traditional, WebSphere MQ, JAXP, Firefox, NSS, Thunderbird, SnapManager, Java OpenJDK, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Java Oracle, RHEL, SUSE Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***, Ubuntu.

Our Vigil@nce team determined that the severity of this security weakness is low.

The trust level is of type confirmed by the editor, with an origin of internet client.

An attacker with a expert ability can exploit this security announce.

Solutions for this threat 

Mozilla NSS: version 3.20.2.
The version 3.20.2 is fixed:
  http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/

OpenSSL: version 1.0.1f.
The version 1.0.1f is fixed:
  http://www.openssl.org/source/

Firefox: version 43.0.2.
The version 43.0.2 is fixed:
  http://www.mozilla.org/en-US/firefox/organizations/all/
  http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/

Firefox: version 38.5.2.
The version 38.5.2 is fixed:
  http://www.mozilla.org/en-US/firefox/organizations/all/
  http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/

Oracle Java, OpenJDK: version 8u71.
The version 8u71 is fixed:
  http://www.oracle.com/technetwork/java/javase/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/documentation/8u-relnotes-2225394.html

Oracle Java, OpenJDK: version 1.7.0_95.
The version 1.7.0_95 is fixed:
  http://www.oracle.com/technetwork/indexes/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/7u-relnotes-515228.html
  http://www.oracle.com/technetwork/java/javase/documentation/javase7supportreleasenotes-1601161.html

Oracle Java, OpenJDK: version 6u111.
The version 6u111 is fixed:
  http://www.oracle.com/technetwork/indexes/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html

AIX: fixed versions for IBM Java.
Fixed versions are indicated in information sources.

Blue Coat Content Analysis System: version 1.3.6.1.
The version 1.3.6.1 is fixed.

Blue Coat ProxySG: version 6.5.9.3.
The version 6.5.9.3 is fixed.

Blue Coat ProxySG: version 6.6.2.1.
The version 6.6.2.1 is fixed.

Debian 8: new nss packages.
New packages are available:
  Debian 8: nss 2:3.26-1+debu8u1

Debian: new icedove packages.
New packages are available:
  Debian 7: icedove 38.6.0-1~deb7u1
  Debian 8: icedove 38.6.0-1~deb8u1

Debian: new iceweasel packages.
New packages are available:
  Debian 7: iceweasel 38.6.0esr-1~deb7u1
  Debian 8: iceweasel 38.6.0esr-1~deb8u1

Debian: new openjdk-6 packages.
New packages are available:
  Debian 7: openjdk-6 6b38-1.13.10-1~deb7u1

Debian: new openssl packages.
New packages are available:
  Debian 7: openssl 1.0.1e-2+deb7u19
  Debian 8: openssl 1.0.1f-1

Fedora 23: new thunderbird packages.
New packages are available:
  Fedora 23: thunderbird 38.6.0-1.fc23

IBM AIX: patch for bos.net.tcp.
A patch is available:
  https://aix.software.ibm.com/aix/efixes/security/nettcp_fix2.tar

IBM AIX: patch for SLOTH.
A patch is available:
  https://aix.software.ibm.com/aix/efixes/security/openssl_fix16.tar

IBM DB2: solution for MD5 in TLS 1.2.
The solution is indicated in information sources.

IBM Domino, Notes: patch for Java.
A patch is available:
  For the version 9.0.1 Fix Pack 5: http://www.ibm.com/support/docview.wss?uid=swg21657963
  For the version 8.5.3 Fix Pack 6: http://www-01.ibm.com/support/docview.wss?uid=swg21663874

IBM Domino: patch for SLOTH.
A patch is available:
  http://www-01.ibm.com/support/docview.wss?uid=swg21657963

IBM Notes: patch for MD5.
A patch is indicated in information sources.

IBM Security QRadar SIEM: patch for OpenSSL.
A patch is available:
  IBM QRadar/QRM/QVM/QRIF 7.2.6 Patch 2: http://www.ibm.com/support/fixcentral/swg/quickorder?product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.2.0&platform=Linux&function=fixId&fixids=7.2.6-QRADAR-QRSIEM-20160121152811&includeRequisites=0&includeSupersedes=0&downloadMethod=http&source=fc
  IBM QRadar 7.1 MR2 Patch 12 Interim Fix 1: http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Security%2BSystems&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.1.0&platform=Linux&function=fixId&fixids=7.1.0-QRADAR-QRSIEM-1104447INT&includeRequisites=0&includeSupersedes=0&downloadMethod=http&source=fc

IBM SPSS Modeler: patch for Java.
A patch is indicated in information sources.

IBM TADDM: solution for Java.
The solution is indicated in information sources.

IBM Tivoli Storage Manager: fixed versions for SLOTH.
Fixed versions are as follows:
  TSM Operations Center: 7.1.4.200 (ftp://ftp.software.ibm.com/storage/tivoli-storage-management/patches/opcenter/7.1.4.200/), 6.4.2.400 (ftp://ftp.software.ibm.com/storage/tivoli-storage-management/patches/opcenter/6.4.2.400/)
  TSM Client Management Service: 7.1.4.100 (ftp://ftp.software.ibm.com/storage/tivoli-storage-management/patches/cms/7.1.4.100)

IBM WebSphere Application Server: patch for Java.
A patch is indicated in information sources, depending on the installed version of WebSphere.

IBM WebSphere MQ: fixed versions for Java.
Fixed versions are indicated in information sources.

NetApp SnapManager: solution for TLS.
The SnapManager for Sharepoint product is not vulnerable after further evaluation from NetApp.

openSUSE 13.1: new MozillaThunderbird packages.
New packages are available:
  openSUSE 13.1: MozillaThunderbird 38.6.0-70.74.1

openSUSE 13.2: new java-1_8_0-openjdk packages.
New packages are available:
  openSUSE 13.2: java-1_8_0-openjdk 1.8.0.72-21.1

openSUSE 13.2: new polarssl packages.
New packages are available:
  openSUSE 13.2: polarssl 1.3.9-14.1

openSUSE 13: new java-1_7_0-openjdk packages.
New packages are available:
  openSUSE 13.1: java-1_7_0-openjdk 1.7.0.95-24.27.1
  openSUSE 13.2: java-1_7_0-openjdk 1.7.0.95-16.1

openSUSE Leap 42.1: new java-1_7_0-openjdk packages.
New packages are available:
  openSUSE Leap 42.1: java-1_7_0-openjdk 1.7.0.95-25.1

openSUSE Leap 42.1: new java-1_8_0-openjdk packages.
New packages are available:
  openSUSE Leap 42.1: java-1_8_0-openjdk 1.8.0.72-6.1

openSUSE Leap 42.1: new mbedtls packages.
New packages are available:
  openSUSE Leap 42.1: mbedtls 1.3.16-9.1

openSUSE: new MozillaFirefox packages.
New packages are available:
  openSUSE 13.1: MozillaFirefox 43.0.3-100.1
  openSUSE 13.2: MozillaFirefox 43.0.3-56.1
  openSUSE Leap 42.1: MozillaFirefox 43.0.3-9.2

openSUSE: new mozilla-nss packages.
New packages are available:
  openSUSE 13.1: mozilla-nss 3.20.2-65.1
  openSUSE 13.2: mozilla-nss 3.20.2-22.1
  openSUSE Leap 42.1: mozilla-nss 3.20.2-6.1

openSUSE: new seamonkey packages.
New packages are available:
  openSUSE 13.1: seamonkey 2.40-62.1
  openSUSE 13.2: seamonkey 2.40-26.1
  openSUSE Leap 42.1: seamonkey 2.40-6.2

Oracle Communications: CPU of October 2017.
A Critical Patch Update is available.

RHEL: new java-1.6.0-ibm packages.
New packages are available:
  RHEL 5: java-1.6.0-ibm 1.6.0.16.20-1jpp.1.el5
  RHEL 6: java-1.6.0-ibm 1.6.0.16.20-1jpp.1.el6_7

RHEL: new java-1.7.0-openjdk packages.
New packages are available:
  RHEL 5: java-1.7.0-openjdk 1.7.0.95-2.6.4.1.el5_11
  RHEL 6: java-1.7.0-openjdk 1.7.0.95-2.6.4.0.el6_7
  RHEL 7: java-1.7.0-openjdk 1.7.0.95-2.6.4.0.el7_2

RHEL: new java-1.7.0-oracle packages.
New packages are available:
  RHEL 5: java-1.7.0-oracle 1.7.0.95-1jpp.1.el5_11
  RHEL 6: java-1.7.0-oracle 1.7.0.95-1jpp.1.el6_7
  RHEL 7: java-1.7.0-oracle 1.7.0.95-1jpp.2.el7

RHEL: new java-1.7.x-ibm packages.
New packages are available:
  RHEL 6: java-1.7.1-ibm 1.7.1.3.30-1jpp.2.el6_7
  RHEL 5: java-1.7.0-ibm 1.7.0.9.30-1jpp.1.el5

RHEL: new java-1.8.0-ibm packages.
New packages are available:
  RHEL 7: java-1.8.0-ibm 1.8.0.2.10-1jpp.1.el7

RHEL: new java-1.8.0-openjdk packages.
New packages are available:
  RHEL 7: java-1.8.0-openjdk 1.8.0.71-2.b15.el7_2
  RHEL 6: java-1.8.0-openjdk 1.8.0.71-1.b15.el6_7

RHEL: new java-1.8.0-oracle packages.
New packages are available:
  RHEL 6: java-1.8.0-oracle 1.8.0.71-1jpp.1.el6_7
  RHEL 7: java-1.8.0-oracle 1.8.0.71-1jpp.1.el7

RHEL: new nss packages.
New packages are available:
  RHEL 6: nss 3.19.1-8.el6_7
  RHEL 7: nss 3.19.1-19.el7_2

RHEL: new openssl packages.
New packages are available:
  RHEL 6: openssl 1.0.1e-42.el6_7.2
  RHEL 7: openssl 1.0.1e-51.el7_2.2

SUSE LE 10 SP4: new java-1_6_0-ibm packages.
New packages are available:
  SUSE LE 10 SP4: java-1_6_0-ibm 1.6.0_sr16.20-0.8.1

SUSE LE 12: new java-1_8_0-openjdk packages.
New packages are available:
  SUSE LE 12 SP1: java-1_8_0-openjdk 1.8.0.72-3.2

SUSE LE: new java-1_6_0-ibm packages.
New packages are available:
  SUSE LE 11 SP2: java-1_6_0-ibm 1.6.0_sr16.20-49.1
  SUSE LE 11 SP3: java-1_6_0-ibm 1.6.0_sr16.20-51.1
  SUSE LE 12 RTM: java-1_6_0-ibm 1.6.0_sr16.20-30.1

SUSE LE: new java-1_7_0-ibm packages.
New packages are available:
  SUSE LE 11 SP2: java-1_7_0-ibm 1.7.0_sr9.30-45.1

SUSE LE: new java-1_7_0-openjdk packages (28/01/2016).
New packages are available:
  SUSE LE 12 SP1: java-1_7_0-openjdk 1.7.0.95-24.2
  SUSE LE 12 RTM: java-1_7_0-openjdk 1.7.0.95-24.2
  SUSE LE 11 SP4: java-1_7_0-openjdk 1.7.0.95-0.17.2
  SUSE LE 11 SP3: java-1_7_0-openjdk 1.7.0.95-0.17.2

SUSE LE: new java-1_7_1-ibm packages.
New packages are available:
  SUSE LE 11 SP4: java-1_7_1-ibm 1.7.1_sr3.30-9.1
  SUSE LE 12 RTM: java-1_7_1-ibm 1.7.1_sr3.30-21.1
  SUSE LE 12 SP1: java-1_7_1-ibm 1.7.1_sr3.30-21.1

SUSE LE: new java-1_8_0-ibm packages.
New packages are available:
  SUSE LE 12 SP1: java-1_8_0-ibm 1.8.0_sr2.10-7.1

Synology DS, RS: version 5.2-5644 Update 3.
The version 5.2-5644 Update 3 is fixed:
  https://www.synology.com

Thunderbird: version 38.6.
The version 38.6 is fixed:
  https://www.mozilla.org/en-US/thunderbird/

Ubuntu: new firefox packages.
New packages are available:
  Ubuntu 15.10: firefox 43.0.4+build3-0ubuntu0.15.10.1
  Ubuntu 15.04: firefox 43.0.4+build3-0ubuntu0.15.04.1
  Ubuntu 14.04 LTS: firefox 43.0.4+build3-0ubuntu0.14.04.1
  Ubuntu 12.04 LTS: firefox 43.0.4+build3-0ubuntu0.12.04.1

Ubuntu: new libnss3 packages.
New packages are available:
  Ubuntu 15.10: libnss3 2:3.19.2.1-0ubuntu0.15.10.2
  Ubuntu 15.04: libnss3 2:3.19.2.1-0ubuntu0.15.04.2
  Ubuntu 14.04 LTS: libnss3 2:3.19.2.1-0ubuntu0.14.04.2
  Ubuntu 12.04 LTS: libnss3 3.19.2.1-0ubuntu0.12.04.2

Ubuntu: new libssl1.0.0 packages.
New packages are available:
  Ubuntu 12.04 LTS: libssl1.0.0 1.0.1-4ubuntu5.33

Ubuntu: new openjdk-7 packages.
New packages are available:
  Ubuntu 15.10: openjdk-7-jre 7u95-2.6.4-0ubuntu0.15.10.1
  Ubuntu 15.04: openjdk-7-jre 7u95-2.6.4-0ubuntu0.15.04.1
  Ubuntu 14.04 LTS: openjdk-7-jre 7u95-2.6.4-0ubuntu0.14.04.1

Ubuntu: new thunderbird packages.
New packages are available:
  Ubuntu 15.10: thunderbird 1:38.6.0+build1-0ubuntu0.15.10.1
  Ubuntu 14.04 LTS: thunderbird 1:38.6.0+build1-0ubuntu0.14.04.1
  Ubuntu 12.04 LTS: thunderbird 1:38.6.0+build1-0ubuntu0.12.04.1
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a networks vulnerabilities announce. The technology watch team tracks security threats targeting the computer system.