Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.0379
Security Bulletin: Vulnerabilities in ClearCase OpenSSL Component
(CVE-2013-4353, CVE-2013-6450, CVE-2013-6449) and Security Bulletin:
Vulnerabilities in ClearCase GSKit Component (CVE-2013-6747)
21 March 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Rational ClearCase
Publisher: IBM
Operating System: AIX
HP-UX
Linux variants
Solaris
Windows
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2013-6747 CVE-2013-6450 CVE-2013-6449
CVE-2013-4353
Reference: ESB-2014.0377
ESB-2014.0375
ESB-2014.0309
ESB-2014.0301
ESB-2014.0252
ESB-2014.0224
ESB-2014.0201
ESB-2014.0113
ESB-2014.0007
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21661589
http://www-01.ibm.com/support/docview.wss?uid=swg21662006
Comment: This bulletin contains two (2) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Vulnerabilities in ClearCase OpenSSL Component
(CVE-2013-4353, CVE-2013-6450, CVE-2013-6449)
Security Bulletin
Document information
More support for:
Rational ClearCase
Perl: ratlperl
Software version:
7.1.1, 7.1.1.1, 7.1.1.2, 7.1.1.3, 7.1.1.4, 7.1.1.5, 7.1.1.6, 7.1.1.7, 7.1.1.8,
7.1.1.9, 7.1.2, 7.1.2.1, 7.1.2.2, 7.1.2.3, 7.1.2.4, 7.1.2.5, 7.1.2.6, 7.1.2.7,
7.1.2.8, 7.1.2.9, 7.1.2.10, 7.1.2.11, 7.1.2.12, 8.0, 8.0.0.1, 8.0.0.2,
8.0.0.3, 8.0.0.4, 8.0.0.5, 8.0.0.6, 8.0.0.7, 8.0.0.8, 8.0.0.9, 8.0.1, 8.0.1.1,
8.0.1.2
Operating system(s):
AIX, HP-UX, IRIX, Linux, Solaris, Windows
Reference #:
1661589
Modified date:
2014-03-19
Summary
The OpenSSL component shipped as a part of IBM Rational ClearCase has issued a
security advisory. This component is used in making SSL connections in the
base CC/CQ integration and in making SSL connections via user Perl modules. On
the UNIX/Linux platforms, OpenSSL can also be used by the UCM/CQ integration.
Vulnerability Details
CVE ID: CVE-2013-4353
Description:
This vulnerability is listed in the OpenSSL security advisory located at
http://www.openssl.org/news/vulnerabilities.html
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90201
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE ID: CVE-2013-6450
Description:
This vulnerability is listed in the OpenSSL security advisory located at
http://www.openssl.org/news/vulnerabilities.html
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90069 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVE ID: CVE-2013-6449
Description:
This vulnerability is listed in the OpenSSL security advisory located at
http://www.openssl.org/news/vulnerabilities.html
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90068 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
Affected Products and Versions
IBM Rational ClearCase versions 7.1.1 through 7.1.1.9, 7.1.2 through 7.1.2.12,
8.0.0 through 8.0.0.9, and 8.0.1 through 8.0.1.2
Remediation/Fixes
The solution is to upgrade to a fix pack of ClearCase that has a newer OpenSSL
component that corrects these vulnerabilities. Please see below for
information on the fixes available.
Rational ClearCase Fix Pack 3 (8.0.1.3) for 8.0.1
Rational ClearCase Fix Pack 10 (8.0.0.10) for 8.0
Rational ClearCase Fix Pack 13 (7.1.2.13) for 7.1.2
Systems running 7.1.0, 7.1.1: upgrade to Rational ClearCase Fix Pack 13
(7.1.2.13) for 7.1.2.
Note: 7.1.2.13 inter-operates with all 7.1.1.x systems, and can be
installed in the same way as 7.1.1.x fix packs.
Workarounds and Mitigations
None
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
None
Change History
* 19 March 2014: Original copy published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- ----------------------------------------------------------------------
Security Bulletin: Vulnerabilities in ClearCase GSKit Component
(CVE-2013-6747)
Security Bulletin
Document information
More support for:
Rational ClearCase
CCRC WAN Server
Software version:
7.1, 7.1.0.1, 7.1.0.2, 7.1.1, 7.1.1.1, 7.1.1.2, 7.1.1.3, 7.1.1.4, 7.1.1.5,
7.1.1.6, 7.1.1.7, 7.1.1.8, 7.1.1.9, 7.1.2, 7.1.2.1, 7.1.2.2, 7.1.2.3, 7.1.2.4,
7.1.2.5, 7.1.2.6, 7.1.2.7, 7.1.2.8, 7.1.2.9, 7.1.2.10, 7.1.2.11, 7.1.2.12,
8.0, 8.0.0.1, 8.0.0.2, 8.0.0.3, 8.0.0.4, 8.0.0.5, 8.0.0.6, 8.0.0.7, 8.0.0.8,
8.0.0.9, 8.0.1, 8.0.1.1, 8.0.1.2
Operating system(s):
AIX, HP-UX, Linux, Solaris, Windows
Reference #:
1662006
Modified date:
2014-03-19
Summary
A certificate chain presented by a Client or Server could contain a circular
reference that will cause the chain building logic to loop which can lead to a
program crash or hang due to memory exhaustion.
Vulnerability Details
CVE ID: CVE-2013-6747
Description:
A certificate chain presented by a Client or Server could contain a circular
reference that will cause the chain building logic to loop which can lead to a
program crash or hang due to memory exhaustion.
The IBM GSKit is used if ClearCase on Windows platforms is configured to
integrate with IBM Rational ClearQuest with communication over SSL (https).
This applies to Base CC/CQ integrations using Change Management Interface
(CMI) and to UCM-enabled CQ integration via OSLC. If your ClearCase deployment
is not using these integrations with ClearQuest, or not using SSL with the
integrations, then your deployment is not sensitive to this attack. The
UCM-enabled CQ integration without using OSLC (SQUID) is not sensitive to this
attack.
The IBM GSKit is also used by CCRC WAN server (all platforms) when supporting
SSL connections.
CVSS Base Score: 7.1
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/89863 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/N:I/N:A/C)
Affected Products and Versions
IBM Rational ClearCase versions 7.1.1 through 7.1.1.9, 7.1.2 through 7.1.2.12,
8.0.0 through 8.0.0.9, and 8.0.1 through 8.0.1.2
Remediation/Fixes
The solution is to upgrade to a fix pack of ClearCase that has a newer GSKit
component that corrects these vulnerabilities. Please see below for
information on the fixes available.
Client fixes (for Windows ClearCase clients meeting the description above of
vulnerable configurations):
Rational ClearCase Fix Pack 3 (8.0.1.3) for 8.0.1
Rational ClearCase Fix Pack 10 (8.0.0.10) for 8.0
Rational ClearCase Fix Pack 13 (7.1.2.13) for 7.1.2
Systems running 7.1.0, 7.1.1: upgrade to Rational ClearCase Fix Pack 13
(7.1.2.13) for 7.1.2.
Note: 7.1.2.13 inter-operates with all 7.1.1.x systems, and can be
installed in the same way as 7.1.1.x fix packs.
Server fixes (for CCRC WAN server):
Install GSKit fixes to IBM HTTP Server, if you use SSL on your WAN server. You
need the fix for APAR PI09443. To upgrade:
ClearCase release 7.1.x: Document 1390803 explains how to update IBM HTTP
Server for IBM Rational ClearCase WAN servers at release 7.1.x. Consult
those instructions when applying the IHS interim fix or fix pack containing
the fix, as listed in IHS security bulletin 1663941.
ClearCase release 8.0.x: Upgrade IBM HTTP Server to a version including the
fix (see the IHS bulletin), or install the IHS interim fix. Consult IHS
security bulletin 1663941 for the releases of IHS that contain the fixes,
and apply the fixes relevant for your version of IHS.
Workarounds and Mitigations
None
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
None
Change History
* 19 March 2014: Original copy published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUyvAZBLndAQH1ShLAQJD6w/9Gh3Xe65bWf3l4Cy7J7czEZpJmKeFgl0s
GrlnsqkNoujlAatMhmPTOY0dsd8rMj6NBZw4U7qjbFQuaTGXLa7l9LeNDNocraMA
7xireVYU62f90HzAYXCRXfMI1CzsF8e9ioOcZhfc9xrXGVp3B1pDWaqdanoOZXpk
lbAdAVB6548hlrWfSclV6Prd2CFMxrILnNaJlN7zHajrmSaZVQTs5DmA0DHGax9L
yOPTvoTcOGkDawv2bQ6wLLjWwFWjUdX8NZ29x6cXUIV3QdZiMym56eZ0qgvbO64q
YkE+wVd9qD4b8mywWPDkPtqg9RTrUYb0zOyu45kDsRZEll15MBNoR/ahfuOfdmpK
0ccDIWP1v53aL0ejFqbSUhX4ltJUtaQjN7apd7MiYm7GJofQuCmw9rliDrdbF3kW
q+GJ2/OgNQunmxo4qQZz74ku0XXn/ESfhh64eaD+HUgI+Oznwm5I97qyjWY8JxKa
OYoXbIu8Iom76YdXYGEhraJsQzyF0gbol/ER45Ygs0EXqJpQUK5jOhYhtnkB9503
S7VTsEPyRZ6NuGxYIpMHQCpAIwbfPzCFySgeE54iOoamV8S9GVl6JbnNA9ebGoW3
MzDiq0iER0HTo7xImF26Uk46fyoJJDgLxuuXSdwSzGVRrprcJusSOpf1W+lhnsWj
cVQNAAmFDbM=
=G8eS
-----END PGP SIGNATURE-----