Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.0379 Security Bulletin: Vulnerabilities in ClearCase OpenSSL Component (CVE-2013-4353, CVE-2013-6450, CVE-2013-6449) and Security Bulletin: Vulnerabilities in ClearCase GSKit Component (CVE-2013-6747) 21 March 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Rational ClearCase Publisher: IBM Operating System: AIX HP-UX Linux variants Solaris Windows Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2013-6747 CVE-2013-6450 CVE-2013-6449 CVE-2013-4353 Reference: ESB-2014.0377 ESB-2014.0375 ESB-2014.0309 ESB-2014.0301 ESB-2014.0252 ESB-2014.0224 ESB-2014.0201 ESB-2014.0113 ESB-2014.0007 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21661589 http://www-01.ibm.com/support/docview.wss?uid=swg21662006 Comment: This bulletin contains two (2) IBM security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: Vulnerabilities in ClearCase OpenSSL Component (CVE-2013-4353, CVE-2013-6450, CVE-2013-6449) Security Bulletin Document information More support for: Rational ClearCase Perl: ratlperl Software version: 7.1.1, 7.1.1.1, 7.1.1.2, 7.1.1.3, 7.1.1.4, 7.1.1.5, 7.1.1.6, 7.1.1.7, 7.1.1.8, 7.1.1.9, 7.1.2, 7.1.2.1, 7.1.2.2, 7.1.2.3, 7.1.2.4, 7.1.2.5, 7.1.2.6, 7.1.2.7, 7.1.2.8, 7.1.2.9, 7.1.2.10, 7.1.2.11, 7.1.2.12, 8.0, 8.0.0.1, 8.0.0.2, 8.0.0.3, 8.0.0.4, 8.0.0.5, 8.0.0.6, 8.0.0.7, 8.0.0.8, 8.0.0.9, 8.0.1, 8.0.1.1, 8.0.1.2 Operating system(s): AIX, HP-UX, IRIX, Linux, Solaris, Windows Reference #: 1661589 Modified date: 2014-03-19 Summary The OpenSSL component shipped as a part of IBM Rational ClearCase has issued a security advisory. This component is used in making SSL connections in the base CC/CQ integration and in making SSL connections via user Perl modules. On the UNIX/Linux platforms, OpenSSL can also be used by the UCM/CQ integration. Vulnerability Details CVE ID: CVE-2013-4353 Description: This vulnerability is listed in the OpenSSL security advisory located at http://www.openssl.org/news/vulnerabilities.html CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90201 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) CVE ID: CVE-2013-6450 Description: This vulnerability is listed in the OpenSSL security advisory located at http://www.openssl.org/news/vulnerabilities.html CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90069 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) CVE ID: CVE-2013-6449 Description: This vulnerability is listed in the OpenSSL security advisory located at http://www.openssl.org/news/vulnerabilities.html CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90068 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Affected Products and Versions IBM Rational ClearCase versions 7.1.1 through 7.1.1.9, 7.1.2 through 7.1.2.12, 8.0.0 through 8.0.0.9, and 8.0.1 through 8.0.1.2 Remediation/Fixes The solution is to upgrade to a fix pack of ClearCase that has a newer OpenSSL component that corrects these vulnerabilities. Please see below for information on the fixes available. Rational ClearCase Fix Pack 3 (8.0.1.3) for 8.0.1 Rational ClearCase Fix Pack 10 (8.0.0.10) for 8.0 Rational ClearCase Fix Pack 13 (7.1.2.13) for 7.1.2 Systems running 7.1.0, 7.1.1: upgrade to Rational ClearCase Fix Pack 13 (7.1.2.13) for 7.1.2. Note: 7.1.2.13 inter-operates with all 7.1.1.x systems, and can be installed in the same way as 7.1.1.x fix packs. Workarounds and Mitigations None References Complete CVSS Guide On-line Calculator V2 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Acknowledgement None Change History * 19 March 2014: Original copy published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - ---------------------------------------------------------------------- Security Bulletin: Vulnerabilities in ClearCase GSKit Component (CVE-2013-6747) Security Bulletin Document information More support for: Rational ClearCase CCRC WAN Server Software version: 7.1, 7.1.0.1, 7.1.0.2, 7.1.1, 7.1.1.1, 7.1.1.2, 7.1.1.3, 7.1.1.4, 7.1.1.5, 7.1.1.6, 7.1.1.7, 7.1.1.8, 7.1.1.9, 7.1.2, 7.1.2.1, 7.1.2.2, 7.1.2.3, 7.1.2.4, 7.1.2.5, 7.1.2.6, 7.1.2.7, 7.1.2.8, 7.1.2.9, 7.1.2.10, 7.1.2.11, 7.1.2.12, 8.0, 8.0.0.1, 8.0.0.2, 8.0.0.3, 8.0.0.4, 8.0.0.5, 8.0.0.6, 8.0.0.7, 8.0.0.8, 8.0.0.9, 8.0.1, 8.0.1.1, 8.0.1.2 Operating system(s): AIX, HP-UX, Linux, Solaris, Windows Reference #: 1662006 Modified date: 2014-03-19 Summary A certificate chain presented by a Client or Server could contain a circular reference that will cause the chain building logic to loop which can lead to a program crash or hang due to memory exhaustion. Vulnerability Details CVE ID: CVE-2013-6747 Description: A certificate chain presented by a Client or Server could contain a circular reference that will cause the chain building logic to loop which can lead to a program crash or hang due to memory exhaustion. The IBM GSKit is used if ClearCase on Windows platforms is configured to integrate with IBM Rational ClearQuest with communication over SSL (https). This applies to Base CC/CQ integrations using Change Management Interface (CMI) and to UCM-enabled CQ integration via OSLC. If your ClearCase deployment is not using these integrations with ClearQuest, or not using SSL with the integrations, then your deployment is not sensitive to this attack. The UCM-enabled CQ integration without using OSLC (SQUID) is not sensitive to this attack. The IBM GSKit is also used by CCRC WAN server (all platforms) when supporting SSL connections. CVSS Base Score: 7.1 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/89863 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV/N:AC/M:Au/N:C/N:I/N:A/C) Affected Products and Versions IBM Rational ClearCase versions 7.1.1 through 7.1.1.9, 7.1.2 through 7.1.2.12, 8.0.0 through 8.0.0.9, and 8.0.1 through 8.0.1.2 Remediation/Fixes The solution is to upgrade to a fix pack of ClearCase that has a newer GSKit component that corrects these vulnerabilities. Please see below for information on the fixes available. Client fixes (for Windows ClearCase clients meeting the description above of vulnerable configurations): Rational ClearCase Fix Pack 3 (8.0.1.3) for 8.0.1 Rational ClearCase Fix Pack 10 (8.0.0.10) for 8.0 Rational ClearCase Fix Pack 13 (7.1.2.13) for 7.1.2 Systems running 7.1.0, 7.1.1: upgrade to Rational ClearCase Fix Pack 13 (7.1.2.13) for 7.1.2. Note: 7.1.2.13 inter-operates with all 7.1.1.x systems, and can be installed in the same way as 7.1.1.x fix packs. Server fixes (for CCRC WAN server): Install GSKit fixes to IBM HTTP Server, if you use SSL on your WAN server. You need the fix for APAR PI09443. To upgrade: ClearCase release 7.1.x: Document 1390803 explains how to update IBM HTTP Server for IBM Rational ClearCase WAN servers at release 7.1.x. Consult those instructions when applying the IHS interim fix or fix pack containing the fix, as listed in IHS security bulletin 1663941. ClearCase release 8.0.x: Upgrade IBM HTTP Server to a version including the fix (see the IHS bulletin), or install the IHS interim fix. Consult IHS security bulletin 1663941 for the releases of IHS that contain the fixes, and apply the fixes relevant for your version of IHS. Workarounds and Mitigations None References Complete CVSS Guide On-line Calculator V2 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Acknowledgement None Change History * 19 March 2014: Original copy published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUyvAZBLndAQH1ShLAQJD6w/9Gh3Xe65bWf3l4Cy7J7czEZpJmKeFgl0s GrlnsqkNoujlAatMhmPTOY0dsd8rMj6NBZw4U7qjbFQuaTGXLa7l9LeNDNocraMA 7xireVYU62f90HzAYXCRXfMI1CzsF8e9ioOcZhfc9xrXGVp3B1pDWaqdanoOZXpk lbAdAVB6548hlrWfSclV6Prd2CFMxrILnNaJlN7zHajrmSaZVQTs5DmA0DHGax9L yOPTvoTcOGkDawv2bQ6wLLjWwFWjUdX8NZ29x6cXUIV3QdZiMym56eZ0qgvbO64q YkE+wVd9qD4b8mywWPDkPtqg9RTrUYb0zOyu45kDsRZEll15MBNoR/ahfuOfdmpK 0ccDIWP1v53aL0ejFqbSUhX4ltJUtaQjN7apd7MiYm7GJofQuCmw9rliDrdbF3kW q+GJ2/OgNQunmxo4qQZz74ku0XXn/ESfhh64eaD+HUgI+Oznwm5I97qyjWY8JxKa OYoXbIu8Iom76YdXYGEhraJsQzyF0gbol/ER45Ygs0EXqJpQUK5jOhYhtnkB9503 S7VTsEPyRZ6NuGxYIpMHQCpAIwbfPzCFySgeE54iOoamV8S9GVl6JbnNA9ebGoW3 MzDiq0iER0HTo7xImF26Uk46fyoJJDgLxuuXSdwSzGVRrprcJusSOpf1W+lhnsWj cVQNAAmFDbM= =G8eS -----END PGP SIGNATURE-----