-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.2016
     Security Bulletin: Vulnerabilities in OpenSSL affect IBM Rational
         ClearQuest (CVE-2015-1788, CVE-2015-1789, CVE-2015-1791)
                               4 August 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Rational ClearQuest
                   IBM Rational ClearCase
Publisher:         IBM
Operating System:  AIX
                   HP-UX
                   Linux variants
                   Solaris
                   Windows
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-1791 CVE-2015-1789 CVE-2015-1788

Reference:         ASB-2015.0065
                   ESB-2015.1968
                   ESB-2015.1878
                   ESB-2015.1844
                   ESB-2015.1811
                   ESB-2015.1809
                   ESB-2015.1789
                   ESB-2015.1727
                   ESB-2015.1699
                   ESB-2015.1670
                   ESB-2015.1569
                   ESB-2015.1561
                   ESB-2015.1557
                   ESB-2015.1544.2
                   ESB-2015.1540

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21962775
   http://www-01.ibm.com/support/docview.wss?uid=swg21960633

Comment: This bulletin contains two (2) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Vulnerabilities in OpenSSL affect IBM Rational ClearQuest 
(CVE-2015-1788, CVE-2015-1789, CVE-2015-1791)

Security Bulletin

Document information

More support for:

Rational ClearQuest

Software version:

7.1, 7.1.0.1, 7.1.0.2, 7.1.1, 7.1.1.1, 7.1.1.2, 7.1.1.3, 7.1.1.4, 7.1.1.5, 
7.1.1.6, 7.1.1.7, 7.1.1.8, 7.1.1.9, 7.1.2, 7.1.2.1, 7.1.2.2, 7.1.2.3, 7.1.2.4,
7.1.2.5, 7.1.2.6, 7.1.2.7, 7.1.2.8, 7.1.2.9, 7.1.2.10, 7.1.2.11, 7.1.2.12, 
7.1.2.13, 7.1.2.14, 7.1.2.15, 7.1.2.16, 7.1.2.17, 7.1.2.18, 8.0, 8.0.0.1, 
8.0.0.2, 8.0.0.3, 8.0.0.4, 8.0.0.5, 8.0.0.6, 8.0.0.7, 8.0.0.8, 8.0.0.9, 
8.0.0.10, 8.0.0.11, 8.0.0.12, 8.0.0.13, 8.0.0.14, 8.0.0.15, 8.0.1, 8.0.1.1, 
8.0.1.2, 8.0.1.3, 8.0.1.4, 8.0.1.5, 8.0.1.6, 8.0.1.7, 8.0.1.8

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Reference #:

1962775

Modified date:

2015-08-03

Summary

OpenSSL vulnerabilities were disclosed on June 11, 2015 by the OpenSSL 
Project. OpenSSL is used by IBM Rational ClearQuest . IBM Rational ClearQuest
has addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2015-1788

DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an error
when processing an ECParameters structure over a specially crafted binary 
polynomial field. A remote attacker could exploit this vulnerability to cause
the application to enter into an infinite loop.

CVSS Base Score: 5

CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/103778 for the current 
score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-1789

DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an 
out-of-bounds read in X509_cmp_time. An attacker could exploit this 
vulnerability using a specially crafted certificate or CRL to trigger a 
segmentation fault.

CVSS Base Score: 5

CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/103779 for the current 
score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-1791

DESCRIPTION: A double-free memory error in OpenSSL in the 
ssl3_get_new_session_ticket() function has an unknown impact. By returning a 
specially crafted NewSessionTicket message, an attacker could cause the client
to reuse a previous ticket resulting in a race condition.

CVSS Base Score: 5

CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/103609 for the current 
score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

Affected Products and Versions

IBM Rational ClearQuest versions:

Version				Status

8.0.1 through 8.0.1.8		Affected

8.0 through 8.0.0.15		Affected

7.1.0.x, 7.1.1.x (all versions)	
7.1.2 through 7.1.2.18		Affected

Not all deployments of Rational ClearQuest use OpenSSL in a way that is 
affected by these vulnerabilities.

You are vulnerable if your use of Rational ClearQuest includes any of these 
configurations:

You use SSL connections in perl scripts run by ratlperl or cqperl, or by 
ClearQuest hooks. In this situation, you should review all the fixes provided
by the OpenSSL project to see which ones apply to your use of OpenSSL. See the
references link below.

    You integrate with ClearCase.

Remediation/Fixes

Apply a prerequisite fix pack as listed in the table below, then apply a test
fix that includes a newer version of OpenSSL. The test fix includes OpenSSL 
1.0.1p.

Affected Versions	Prerequisite before applying the fix

8.0.1 through 8.0.1.7 	Install Rational ClearQuest Fix Pack 8 (8.0.1.8) for 8.0.1

8.0 through 8.0.0.14 	Install Rational ClearQuest Fix Pack 15 (8.0.0.15) for 8.0

7.1.2 through 7.1.2.17 	Customers on extended support contracts should install 
			Rational ClearQuest Fix Pack 18 (7.1.2.18) for 7.1.2

7.1.1.x (all fix packs)
7.1.0.x (all fix packs) Customers on extended support contracts should contact
			Rational Customer Support

Once your systems are running the relevant fix pack, contact Rational Customer
support for instructions to download and install the test fix.

For 7.0.x and earlier releases, IBM recommends upgrading to a fixed, supported
version/release/platform of the product.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support 
alerts like this.

Important note

IBM strongly suggests that all System z customers be subscribed to the System
z Security Portal to receive the latest critical System z security and 
integrity service. If you are not subscribed, see the instructions on the 
System z Security web site. Security and integrity APARs and associated fixes
will be posted to this portal. IBM suggests reviewing the CVSS scores and 
applying all security or integrity fixes as soon as possible to minimize any 
potential risk.

References

Complete CVSS v2 Guide

On-line Calculator v2

OpenSSL Project vulnerability website

Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

Change History

* 3 August 2015: Original copy published

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the 
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the 
Common Vulnerability Scoring System (CVSS) is an "industry open standard 
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY 
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT 
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- -------------------------------------------------------------------------------

Security Bulletin: Vulnerabilities in OpenSSL affect IBM Rational ClearCase 
(CVE-2015-1788, CVE-2015-1789, CVE-2015-1791)

Security Bulletin

Document information

More support for:

Rational ClearCase

Perl: ratlperl

Software version:

7.1, 7.1.0.1, 7.1.0.2, 7.1.1, 7.1.1.1, 7.1.1.2, 7.1.1.3, 7.1.1.4, 7.1.1.5, 
7.1.1.6, 7.1.1.7, 7.1.1.8, 7.1.1.9, 7.1.2, 7.1.2.1, 7.1.2.2, 7.1.2.3, 7.1.2.4,
7.1.2.5, 7.1.2.6, 7.1.2.7, 7.1.2.8, 7.1.2.9, 7.1.2.10, 7.1.2.11, 7.1.2.12, 
7.1.2.13, 7.1.2.14, 7.1.2.15, 7.1.2.16, 7.1.2.17, 7.1.2.18, 8.0, 8.0.0.1, 
8.0.0.2, 8.0.0.3, 8.0.0.4, 8.0.0.5, 8.0.0.6, 8.0.0.7, 8.0.0.8, 8.0.0.9, 
8.0.0.10, 8.0.0.11, 8.0.0.12, 8.0.0.13, 8.0.0.14, 8.0.0.15, 8.0.1, 8.0.1.1, 
8.0.1.2, 8.0.1.3, 8.0.1.4, 8.0.1.5, 8.0.1.6, 8.0.1.7, 8.0.1.8

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Reference #:

1960633

Modified date:

2015-08-03

Summary

OpenSSL vulnerabilities were disclosed on June 11, 2015 by the OpenSSL 
Project. OpenSSL is used by IBM Rational ClearCase. IBM Rational ClearCase has
addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2015-1788

DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an error
when processing an ECParameters structure over a specially crafted binary 
polynomial field. A remote attacker could exploit this vulnerability to cause
the application to enter into an infinite loop.

CVSS Base Score: 5

CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/103778 for the current 
score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-1789

DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an 
out-of-bounds read in X509_cmp_time. An attacker could exploit this 
vulnerability using a specially crafted certificate or CRL to trigger a 
segmentation fault.

CVSS Base Score: 5

CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/103779 for the current 
score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-1791

DESCRIPTION: A double-free memory error in OpenSSL in the 
ssl3_get_new_session_ticket() function has an unknown impact. By returning a 
specially crafted NewSessionTicket message, an attacker could cause the client
to reuse a previous ticket resulting in a race condition.

CVSS Base Score: 5

CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/103609 for the current 
score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

Affected Products and Versions

IBM Rational ClearCase versions:

Version				Status

8.0.1 through 8.0.1.8		Affected

8.0 through 8.0.0.15		Affected

7.1.0.x, 7.1.1.x (all versions)
7.1.2 through 7.1.2.18		Affected

Not all deployments of Rational ClearCase use OpenSSL in a way that is 
affected by these vulnerabilities.

You are vulnerable if your use of Rational ClearCase includes any of these 
configurations:

   1. You use the base ClearCase/ClearQuest integration client on any platform,
   configured to use SSL to communicate with a ClearQuest server.

   2. You use the UCM/ClearQuest integration on UNIX/Linux clients, configured 
   to use SSL to communicate with a ClearQuest server.

    Note: Windows clients using the UCM/ClearQuest integration are not 
    vulnerable.

   3. On UNIX/Linux clients, you use the Change Management Integrations for base
   ClearCase with ClearQuest or Rational Team Concert (RTC), or for UCM with 
   ClearQuest or RTC, or for Jira, when configured to use SSL to communicate with
   the server.

    Note: Windows clients using the CMI integration are not vulnerable.

   4. You use ratlperl, ccperl, or cqperl to run your own perl scripts, and 
   those scripts use SSL connections.

Remediation/Fixes

Apply a prerequisite fix pack as listed in the table below, then apply a test
fix that includes a newer version of OpenSSL. The test fix includes OpenSSL 
1.0.1p.

Affected Versions	Fix pack required before applying a test fix

8.0.1 through 8.0.1.7 	Install Rational ClearCase Fix Pack 8 (8.0.1.8) for 8.0.1

8.0 through 8.0.0.14 	Install Rational ClearCase Fix Pack 15 (8.0.0.15) for 8.0

7.1.2 through 7.1.2.17
7.1.1.x (all fix packs)
7.1.0.x (all fix packs) Customers on extended support contracts should install
			Rational ClearCase Fix Pack 18 (7.1.2.18) for 7.1.2

Once your systems are running the relevant fix pack, contact Rational Customer
support for instructions to download and install the test fix.

For 7.0.x and earlier releases, IBM recommends upgrading to a fixed, supported
version/release/platform of the product.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support 
alerts like this.

Important note

IBM strongly suggests that all System z customers be subscribed to the System
z Security Portal to receive the latest critical System z security and 
integrity service. If you are not subscribed, see the instructions on the 
System z Security web site. Security and integrity APARs and associated fixes
will be posted to this portal. IBM suggests reviewing the CVSS scores and 
applying all security or integrity fixes as soon as possible to minimize any 
potential risk.

References

Complete CVSS v2 Guide

On-line Calculator v2

OpenSSL Project vulnerability website

Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

Change History

* 31 July 2014: Original copy published

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the 
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the 
Common Vulnerability Scoring System (CVSS) is an "industry open standard 
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY 
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT 
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVcAv5n6ZAP0PgtI9AQLSmw/+Or406inMd7a0S0A9W1nH4qkWH68cYO9w
AZqYNfE7wbzWqljwcmhTDH0s1lc+mzjH5xJRR1j3EZ+kE03xgbZMFt8qu6Fm7m+J
CKvb/ZijpK7U1TIiNHH5IoBYqRYSf9zaDQwBbnXAsdhiD0oQJWwT0O/SBEsIX31P
43PtzWcLJsPbi9wHyxiiLIPMMhSzWQ5ACv1w97Upv4x+0DFSaIiJ4Ing+iQpsCkC
ZU6/Fb2nYoM3hE5Aw8NInWKXtz7Kw7x+rLdzRb09Kko0fRcFvk8aUZPA1LPH0UAd
rqdJSDXlDarnV0OLQlYFNAVeEQCI7Cs+7DZO0DNvb3i5CJRv9gXIBA1WxFlnyND1
Te/PLSDYRqZLEgA+IO7tp5/Mte5hBEP3OletUuwRF1ZIwZTde0+RdDUT1TYXB0Il
NAXLZYn8he+P4e5SbidYL91zGhVhmPkxVU5KdHEdnRai4UyCyu8YCUBm5Gc7SXK/
s0xwZbWWFZQv6CDFp5IhrFhazD/z007l3Sxdws6aqiOqMRSgybcwoOMxNCc6bP8J
ksIeazZOQP4YJLJscnRIRl0sJrqzwKKkaeQVmCxvONuXOM85aES9am1KGMiQq95l
lnRG3VDMpxJZ6Ozp6i4tZpd+6l/onIfYsLGyvFqYUij0Ly3cyOygZy3jNw2givYz
iPSsekv43NI=
=bKzR
-----END PGP SIGNATURE-----