Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2015.2102
Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM
Rational ClearQuest (CVE-2015-0488, CVE-2015-0478, CVE-2015-1916)
13 August 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Rational ClearQuest
Publisher: IBM
Operating System: AIX
HP-UX
Linux variants
Solaris
Windows
Impact/Access: Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2015-1916 CVE-2015-0488 CVE-2015-0478
Reference: ASB-2015.0035
ESB-2015.2083
ESB-2015.2055
ESB-2015.0998
ESB-2015.0996
ESB-2015.0993
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21963760
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect
IBM Rational ClearQuest (CVE-2015-0488, CVE-2015-0478, CVE-2015-1916)
Document information
More support for:
Rational ClearQuest
Software version:
7.1, 7.1.0.1, 7.1.0.2, 7.1.1, 7.1.1.1, 7.1.1.2, 7.1.1.3, 7.1.1.4, 7.1.1.5,
7.1.1.6, 7.1.1.7, 7.1.1.8, 7.1.1.9, 7.1.2, 7.1.2.1, 7.1.2.2, 7.1.2.3,
7.1.2.4, 7.1.2.5, 7.1.2.6, 7.1.2.7, 7.1.2.8, 7.1.2.9, 7.1.2.10, 7.1.2.11,
7.1.2.12, 7.1.2.13, 7.1.2.14, 7.1.2.15, 7.1.2.16, 7.1.2.17, 7.1.2.18, 8.0,
8.0.0.1, 8.0.0.2, 8.0.0.3, 8.0.0.4, 8.0.0.5, 8.0.0.6, 8.0.0.7, 8.0.0.8,
8.0.0.9, 8.0.0.10, 8.0.0.11, 8.0.0.12, 8.0.0.13, 8.0.0.14, 8.0.0.15, 8.0.1,
8.0.1.1, 8.0.1.2, 8.0.1.3, 8.0.1.4, 8.0.1.5, 8.0.1.6, 8.0.1.7, 8.0.1.8
Operating system(s):
AIX, HP-UX, Linux, Solaris, Windows
Reference #:
1963760
Modified date:
2015-08-12
Security Bulletin
Summary
There are multiple vulnerabilities in IBM Runtime Environment Java Technology
Edition, Versions 5 and 6 that are used by IBM Rational ClearQuest. These
issues were disclosed as part of the IBM Java SDK updates in April 2015.
Vulnerability Details
CVEID: CVE-2015-0488
DESCRIPTION: An unspecified vulnerability related to the JSSE component
could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/102336 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2015-0478
DESCRIPTION: An unspecified vulnerability related to the JCE component
could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/102339 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVEID: CVE-2015-1916
DESCRIPTION: Server applications which use the IBM Java Secure Socket
Extension provider to accept SSL/TLS connections are vulnerable to a denial
of service attack due to an unspecified vulnerability.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/101995 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Affected Products and Versions
IBM Rational ClearQuest, versions 7.1.0.x, 7.1.1.x, 7.1.2.x, 8.0.0.x,
8.0.1.x, in the following components:
ClearQuest Server components, when configured to use SSL, such as the Web
Server, FTS server and Reporting server.
ClearQuest Eclipse clients that use Report Designer, run remote reports
on servers using secure connections, or use the embedded browser to connect to
secure web sites.
ClearQuest version Status
8.0.1 through 8.0.1.8 Affected
8.0 through 8.0.0.15 Affected
7.1.2 through 7.1.2.18 Affected
7.1.0.x, 7.1.1.x (all versions and fix Affected
packs)
Remediation/Fixes
The solution is to install a fix that includes an updated Java Virtual
Machine with fixes for the issues, and to apply fixes for WebSphere
Application Server (WAS).
ClearQuest Eclipse client fixes
Apply a prerequisite fix pack as listed in the table below, then apply
a test fix that includes an updated Java Virtual Machine.
Affected Versions Prerequisite before applying the fix
8.0.1 through 8.0.1.7 Install Rational ClearQuest Fix Pack 8
(8.0.1.8) for 8.0.1
8.0 through 8.0.0.14 Install Rational ClearQuest Fix Pack 15
(8.0.0.15) for 8.0
7.1.2 through 7.1.2.17 Customers on extended support contracts should
install Rational ClearQuest Fix Pack 18
(7.1.2.18) for 7.1.2
7.1.1.x (all fix packs) Customers on extended support contracts should
7.1.0.x (all fix packs) contact Rational Customer Support
Once your systems are running the relevant fix pack, contact Rational Customer
support for instructions to download and install the test fix.
ClearQuest Server components
Review the following WAS security bulletin:
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect
WebSphere Application Server April 2015 CPU
and apply the relevant fixes to your WAS installation and WAS profiles
used for ClearQuest.
Affected Versions Applying the fix
7.1.0.x, 7.1.1.x, and 7.1.2.x Document 1390803 explains how to update
WebSphere Application Server for ClearQuest
CM Servers at release 7.1.x. Consult those
instructions when applying the fix.
8.0.0.x Apply the appropriate WebSphere Application
8.0.1.x Server fix directly to your CQ server host.
No ClearQuest-specific steps are necessary.
For 7.0.x and earlier releases, IBM recommends upgrading to a fixed,
supported version/release/platform of the product.
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
References
Complete CVSS v2 Guide
On-line Calculator v2
IBM Java SDK Security Bulletin
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
CVE-2015-1916 was reported to IBM by Karthikeyan Bhargavan of the PROSECCO
team at INRIA
Change History
* 11 August 2015: Originally published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVcweUn6ZAP0PgtI9AQKebw//e5htTlN3OH3v7jkBtYD+QAIrRgf4tG9l
2mJhTG3wt0CB0ML98NJUjJNdrLon8Yg/bDyy5qMQgoWIZ+0dneUqKI34zpgoNGK+
lstzo2MTSNdUSlVB2fx1Ja6n0+kw1f5UmPxE6rpXB0a+WhgnqcHzO/GN9X4Vc3+J
0ZP1rvR9vBpa3Bo2cGVF4uPzsDa41dRTHUpejwBybgHoj8qCLLTZM7aJHcaq6Bn3
7aaJYvL9XRUwsooEX+fDQ0QUjFy6de6CDP/nLPvlrE9epLs7hMu0YdMybw0agDOO
2oK51SnVFvh0KpJxQbCNW95AIkm4WKD9/xydJo8h+RCCvgicKQt7az/et/vrCosS
ZM5aOAn3JuWhB4Bc3Gpk+I1Eikq9fmc1PsqCwGlnQTuPFDmpjiadKm9cmg8xDG1x
ciQho604s3YButOQ2ZoY9yNDH8jhGfXGuVhTCyNTkbeksPQVk0VZUN0Z83esCU1s
jNSdPp6/kRpXSSzvQ81ynrtUta5d+tQVwRA5TTsTZ1F9+wxyN7KADGcXqD8LNGWh
bMIJZ4oYAyUuyWzEytwr6IY/JS0hk6F5VeJDf1GwBYfTLHA0b8+Od6Cc2FaYuTrA
b5Sx1DHhxbbuWYJfgE+t9ncVIbjzfS0qEba/K0RvCzuWXeELZk0AIRI4d1LkNbJL
4/ari9PMLG0=
=6SfW
-----END PGP SIGNATURE-----