Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.0633 Security Bulletin: Security vulnerabilities in Rational DOORS (CVE-2014-3613, CVE-2014-3620, CVE-2014-8730, CVE-2014-9495, CVE-2015-0973) 17 March 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Rational DOORS Publisher: IBM Operating System: Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Access Privileged Data -- Remote with User Interaction Denial of Service -- Remote with User Interaction Provide Misleading Information -- Remote/Unauthenticated Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2015-0973 CVE-2014-9495 CVE-2014-8730 CVE-2014-3620 CVE-2014-3613 Reference: ESB-2015.0571 ESB-2014.2265 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21685985 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: Security vulnerabilities in Rational DOORS (CVE-2014-3613, CVE-2014-3620, CVE-2014-8730, CVE-2014-9495, CVE-2015-0973) Document information More support for: Rational DOORS General Information Software version: 9.3.0.1, 9.3.0.2, 9.3.0.3, 9.3.0.4, 9.3.0.5, 9.3.0.6, 9.3.0.7, 9.3.0.8, 9.3.0.9, 9.4, 9.4.0.1, 9.4.0.2, 9.4.0.3, 9.5.0.1, 9.5.0.2, 9.5.0.3, 9.5.1, 9.5.1.1, 9.5.1.2, 9.5.1.3, 9.5.1.4, 9.5.2, 9.5.2.1, 9.5.2.2, 9.5.2.3, 9.6, 9.6.0.1, 9.6.0.2, 9.6.1, 9.6.1.1 Operating system(s): Windows Reference #: 1685985 Modified date: 2015-03-12 Security Bulletin Summary IBM Rational DOORS contains multiple security vulnerabilities. Vulnerability Details Rational DOORS is affected by the following vulnerabilities disclosed in and corrected by Rational DOORS fix pack releases: CVE ID: CVE-2014-3613 Description: cURL/libcURL could allow a remote attacker to bypass security restrictions, caused by the failure to properly detect and reject domain names for IP addresses. An attacker could exploit this vulnerability to send cookies to an incorrect site. CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/95925 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) - ------------------------------------- CVE ID: CVE-2014-3620 Description: cURL/libcURL could allow a remote attacker to bypass security restrictions, caused by cookies being set for Top Level Domains (TLDs). An attacker could exploit this vulnerability to send cookies to a different and unrelated site or domain. CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/95924 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) - ------------------------------------- CVE ID: CVE-2014-8730 Description: Product could allow a remote attacker to obtain sensitive information, caused by the failure to check the contents of the padding bytes when using CBC cipher suites of some TLS implementations. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) like attack to decrypt sensitive information and calculate the plaintext of secure connections. CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99216 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) - ------------------------------------- CVE ID: CVE-2014-9495 Description: Libpng is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the png_combine_row function when decompressing the IDAT_data. A remote attacker could exploit this vulnerability using a "very wide interlaced" PNG image to overflow a buffer and execute arbitrary code on the system or cause a denial of service. CVSS Base Score: 9.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99699 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) - ------------------------------------- CVE ID: CVE-2015-0973 Description: Libpng is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the png_read_IDAT_data() function. A remote attacker could exploit this vulnerability using IDAT data with a large width to overflow a buffer and execute arbitrary code on the system or cause a denial of service. CVSS Base Score: 7.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100239 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Affected Products and Versions Rational DOORS versions 9.3.0.x, 9.4.0.x, 9.5.0.x, 9.5.1.x, 9.5.2.x, 9.6.0.x, 9.6.1.0. Remediation/Fixes Upgrade to one of the following Rational DOORS fix packs to avoid this vulnerability. Affected Rational DOORS version Rational DOORS fix pack contains fix 9.3.0.x 9.3.0.9 9.4.0.x 9.4.0.3 9.5.0.x 9.5.0.3 9.5.1.x 9.5.1.4 9.5.2.x 9.5.2.3 9.6.0.x 9.6.0.2 9.6.1.0 9.6.1.1 To avoid the vulnerability that is referenced in CVE-2014-8730, you can set an environment variable, as described in Security Bulletin: TLS padding vulnerability affects IBM Rational DOORS (CVE-2014-8730). This fix is not required if you upgrade to the fix pack, as described in this section. Workarounds and Mitigations None Get Notified about Future Security Bulletins Subscribe to My Notifications to be notified of important product support alerts like this. References Complete CVSS Guide On-line Calculator V2 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Acknowledgement None Change History * 12 March 2015: Original copy published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVQdxaRLndAQH1ShLAQK7rxAAjfs3PoM6N/J3+40riVrTmKWGo9seIXx8 zwuy2GXLlmYcqDd3w75GGD2S98f/pf8KKEK4ICUjxRXpmeKuvBHQHeAHiquRafjj r4W0ED/TvdM43Bt3IusJB1uJiGwvV/KMgGCmQ04jdVJuCnDlvtwNU1hMYHhIXABR 2qTa/qrc68fNbgiT0J6sw1pmCdicF/bkYvXj4+RycPNqNUDYjnc3xaC2KN2HdR50 sdgBYcEtA3m7Io6EMI8mLMGe22eP5RVdUjp6/XAWr8DFWvVH2y2VlGlPI8uLazZw AG6CReg2zq7g+X02HnbuwEmT/U0qxZH/ZXEtpsNms1i6aDt4eWN0vag34d9G5PJc t1YAcjaUp1DVpx4vUwKUOn8MewRcR3Ue2jbSHA3pNfBar2e8fMQ5i4yINY5V51a/ nOYRR5RmVoOKAa5bXwuraSCA5MmAAJD/5cGtdC/3InyqSA3xfYY6J5RIzCRo5+/M RkJVZORsj7GS4ftl+SYFg897CJuL9XgdiWCN3UsvtGe4eFxsU2328Do63+St+dA9 MjdUJhkbZSxFVC6z6Qto6Qfbv8NGYFG0CrNuQ9vWsXpk/9mP5clrdTmLXRmKK1OE +sBR4gOolgYeAo1n/DCc2UwqDciOjjE6W7+j95CrOyoMzvkPpVxWmidJaRrjWv6d SOo1EDHz+8s= =FBWm -----END PGP SIGNATURE-----