Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.1360
Security Bulletin: Multiple vulnerabilities affect IBM Rational ClearQuest
31 May 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Rational ClearQuest
Publisher: IBM
Operating System: AIX
HP-UX
Linux variants
Solaris
Windows
Impact/Access: Access Privileged Data -- Remote with User Interaction
Modify Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2015-7575 CVE-2015-4893 CVE-2015-4872
CVE-2015-4803 CVE-2015-3196 CVE-2015-3195
CVE-2015-3194 CVE-2015-3193 CVE-2015-1791
CVE-2015-1789 CVE-2015-1788
Reference: ASB-2016.0043
ASB-2016.0004
ASB-2015.0103
Original Bulletin:
http://www.ibm.com/support/docview.wss?uid=swg21983532
http://www.ibm.com/support/docview.wss?uid=swg21972432
Comment: This bulletin contains two (2) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Rational
ClearQuest (CVE-2015-3196, CVE-2015-3193, CVE-2015-3194, CVE-2015-3195)
Security Bulletin
Document information
More support for:
Rational ClearQuest
Software version:
7.1, 7.1.0.1, 7.1.0.2, 7.1.1, 7.1.1.1, 7.1.1.2, 7.1.1.3, 7.1.1.4, 7.1.1.5,
7.1.1.6, 7.1.1.7, 7.1.1.8, 7.1.1.9, 7.1.2, 7.1.2.1, 7.1.2.2, 7.1.2.3,
7.1.2.4, 7.1.2.5, 7.1.2.6, 7.1.2.7, 7.1.2.8, 7.1.2.9, 7.1.2.10, 7.1.2.11,
7.1.2.12, 7.1.2.13, 7.1.2.14, 7.1.2.15, 7.1.2.16, 7.1.2.17, 7.1.2.18,
7.1.2.19, 8.0, 8.0.0.1, 8.0.0.2, 8.0.0.3, 8.0.0.4, 8.0.0.5, 8.0.0.6, 8.0.0.7,
8.0.0.8, 8.0.0.9, 8.0.0.10, 8.0.0.11, 8.0.0.12, 8.0.0.13, 8.0.0.14, 8.0.0.15,
8.0.0.16, 8.0.0.17, 8.0.1, 8.0.1.1, 8.0.1.2, 8.0.1.3, 8.0.1.4, 8.0.1.5,
8.0.1.6, 8.0.1.7, 8.0.1.8, 8.0.1.9, 8.0.1.10, 9.0.0.0
Operating system(s):
AIX, HP-UX, Linux, Solaris, Windows
Reference #:
1983532
Modified date:
2016-05-27
Summary
OpenSSL vulnerabilities were disclosed on December 3, 2015 by the OpenSSL
Project. OpenSSL is used by IBM Rational ClearQuest. IBM Rational ClearQuest
has addressed the applicable CVEs.
Vulnerability Details
CVEID:
CVE-2015-3196
DESCRIPTION:
OpenSSL is vulnerable to a denial of service, caused by a race condition when
PSK identity hints are received by a multi-threaded client and the SSL_CTX
structure is updated with the incorrect value. An attacker could exploit this
vulnerability to possibly corrupt memory and cause a denial of service.
CVSS Base Score: 3.7
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/108505
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:
CVE-2015-3193
DESCRIPTION:
OpenSSL could allow a remote attacker to obtain sensitive information, caused
by an error in the x86_64 Montgomery squaring procedure. An attacker with
online access to an unpatched system could exploit this vulnerability to
obtain private key information.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/108502
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID:
CVE-2015-3194
DESCRIPTION:
OpenSSL is vulnerable to a denial of service, caused by a NULL pointer
dereference when verifying certificates via a malformed routine. An attacker
could exploit this vulnerability using signature verification routines with
an absent PSS parameter to cause any certificate verification operation to
crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/108503
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:
CVE-2015-3195
DESCRIPTION:
OpenSSL could allow a remote attacker to obtain sensitive information, caused
by a memory leak in a malformed X509_ATTRIBUTE structure. An attacker could
exploit this vulnerability to obtain CMS data and other sensitive
information.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/108504
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
IBM Rational ClearQuest, versions 7.1.0.x, 7.1.1.x, 7.1.2.x, 8.0.0.x,
8.0.1.x, and 9.0 in the following components:
ClearQuest hooks and cqperl/ratlperl scripts that use SSL.
Database drivers configured to use SSL connections to the database.
ClearQuest version Status
9.0 Affected
8.0.1 through 8.0.1.10 Affected
8.0 through 8.0.0.17 Affected
7.1.0.x Affected
7.1.1.x
7.1.2.x
(all versions and fix packs)
Remediation/Fixes
Affected Versions Fixes
9.0 Install Rational ClearQuest Fix Pack 1 (9.0.0.1) for 9.0
8.0.1 through 8.0.1.10 Install Rational ClearQuest Fix Pack 11 (8.0.1.11) for 8.0.1
8.0 through 8.0.0.17 Install Rational ClearQuest Fix Pack 18 (8.0.0.18) for 8.0
7.1.2.x (all fix packs) Customers on extended support contracts should contact customer support.
7.1.1.x (all fix packs)
7.1.0.x (all fix packs)
Security Bulletin: Vulnerabilities in OpenSSL affect IBM Rational ClearQuest
(CVE-2015-1788, CVE-2015-1789, CVE-2015-1791)
For 7.0.x, 7.1.x and earlier releases, IBM recommends upgrading to a fixed,
supported version/release/platform of the product.
Get Notified about Future Security Bulletins
Subscribe to
My Notifications
to be notified of important product support alerts like this.
References
Complete CVSS v3 Guide
On-line Calculator v3
OpenSSL Project vulnerability website
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
* 27 May 2016: Original version published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- ---
Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM
Rational ClearQuest (CVE-2015-7575, CVE-2015-4872, CVE-2015-4893,
CVE-2015-4803)
Security Bulletin
Document information
More support for:
Rational ClearQuest
Software version:
7.1, 7.1.0.1, 7.1.0.2, 7.1.1, 7.1.1.1, 7.1.1.2, 7.1.1.3, 7.1.1.4, 7.1.1.5,
7.1.1.6, 7.1.1.7, 7.1.1.8, 7.1.1.9, 7.1.2, 7.1.2.1, 7.1.2.2, 7.1.2.3,
7.1.2.4, 7.1.2.5, 7.1.2.6, 7.1.2.7, 7.1.2.8, 7.1.2.9, 7.1.2.10, 7.1.2.11,
7.1.2.12, 7.1.2.13, 7.1.2.14, 7.1.2.15, 7.1.2.16, 7.1.2.17, 7.1.2.18,
7.1.2.19, 8.0, 8.0.0.1, 8.0.0.2, 8.0.0.3, 8.0.0.4, 8.0.0.5, 8.0.0.6, 8.0.0.7,
8.0.0.8, 8.0.0.9, 8.0.0.10, 8.0.0.11, 8.0.0.12, 8.0.0.13, 8.0.0.14, 8.0.0.15,
8.0.0.16, 8.0.0.17, 8.0.1, 8.0.1.1, 8.0.1.2, 8.0.1.3, 8.0.1.4, 8.0.1.5,
8.0.1.6, 8.0.1.7, 8.0.1.8, 8.0.1.9, 8.0.1.10, 9.0.0.0
Operating system(s):
AIX, HP-UX, Linux, Solaris, Windows
Reference #:
1972432
Modified date:
2016-05-27
Summary
There are multiple vulnerabilities in IBM Runtime Environment Java Technology
Edition, Versions 6, 7 and 8 that are used by IBM Rational ClearQuest. These
issues were disclosed as part of the IBM Java SDK updates in October 2015 and
January 2016 and include the vulnerability commonly referred to as "SLOTH".
Vulnerability Details
CVEID:
CVE-2015-7575
DESCRIPTION:
The TLS protocol could allow weaker than expected security caused by a
collision attack when using the MD5 hash function for signing a
ServerKeyExchange message during a TLS handshake. An attacker could exploit
this vulnerability using man-in-the-middle techniques to impersonate a TLS
server and obtain credentials. This vulnerability is commonly referred to as
SLOTH.
CVSS Base Score: 7.1
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/109415
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/UI:U/C:H/I:L/A:N)
CVEID:
CVE-2015-4872
DESCRIPTION:
An unspecified vulnerability related to the Security component has no
confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/107361
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVEID:
CVE-2015-4893
DESCRIPTION:
An unspecified vulnerability related to the JAXP component could allow a
remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/107359
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID:
CVE-2015-4803
DESCRIPTION:
An unspecified vulnerability related to the JAXP component could allow a
remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/107358
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Affected Products and Versions
IBM Rational ClearQuest, versions 7.1.0.x, 7.1.1.x, 7.1.2.x, 8.0.0.x,
8.0.1.x, and 9.0 in the following components:
ClearQuest Web/CQ OSLC server/CM Server component, when configured to use
SSL.
ClearQuest Eclipse clients that use Report Designer, run remote reports on
servers using secure connections, or use the embedded browser to connect to
secure web sites. If you do not use the ClearQuest Eclipse client in this
way, then you are not affected.
ClearQuest version Status
9.0 Affected only by CVE-2015-7575
8.0.1 through 8.0.1.10 Affected
8.0 through 8.0.0.17 Affected
7.1.0.x Affected
7.1.1.x
7.1.2.x
(all versions and fix packs)
Remediation/Fixes
ClearQuest Web/CQ OSLC Server/CM Server Component
For ClearQuest 9.0 and 8.x
These releases use an installation of WebSphere Aplication Server (WAS)
separately installed and maintained from the ClearQuest installation.
Determine the version of WAS that your deployment is using and follow the
instructions at
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect WebSphere
Application Server January 2016 CPU
For ClearQuest 7.1.x
Customers on extended support contracts should contact customer support.
ClearQuest Eclipse Clients
Apply the relevant fixes as listed in the table below.
Affected Versions Fixes
9.0 Install Rational ClearQuest Fix Pack 1 (9.0.0.1) for 9.0
8.0.1 through 8.0.1.10 Install Rational ClearQuest Fix Pack 11 (8.0.1.11) for 8.0.1
8.0 through 8.0.0.17 Install Rational ClearQuest Fix Pack 17 (8.0.0.17) for 8.0
7.1.2.x (all fix packs) Customers on extended support contracts should contact customer support.
7.1.1.x (all fix packs)
7.1.0.x (all fix packs)
For 7.1.x and earlier releases, IBM recommends upgrading to a fixed,
supported version/release/platform of the product.
Workarounds and Mitigations
If you are unable to take the steps to fix the issue (installing the fix
pack), for CVE-2015-7575, the following workaround is available for
ClearQuest 9.0. This version of ClearQuest uses Java 7 or Java 8 (depending
on platform).
This change is needed on every ClearQuest Eclipse client until the fix pack
is installed.
The administrator can address the issue on clients by updating the file
/opt/rational/common/JAVA/jre/lib/security/java.security (UNIX) or
RationalSDLC\common\JAVA\jre\lib\security\java.security (Windows) as follows
(both steps are required):
- - Add MD5 to the jdk.certpath.disabledAlgorithms property - e.g.
jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024, MD5
- - Add MD5withRSA to the jdk.tls.disabledAlgorithms property - e.g.
jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768, MD5withRSA
Java 6 (used by ClearQuest 8.0 and 8.0.1) requires code changes in the JSSE
component in addition to the java.security file modifications, so upgrading
to the fix pack is the only solution.
Get Notified about Future Security Bulletins
Subscribe to
My Notifications
to be notified of important product support alerts like this.
References
Complete CVSS v2 Guide
On-line Calculator v2
Complete CVSS v3 Guide
On-line Calculator v3
IBM Java SDK October 2015 Security Bulletin
IBM Java SDK January 2016 Security Bulletin
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
* 27 May 2016: Updated to refer to fix packs
* 26 April 2016: Update to include testfix for 9.0.
* 17 March 2016: Originally published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBV00F+X6ZAP0PgtI9AQJ5Sg//Wcv4SyUjM3F9nfBTgk8A6vs+p5x5HtEf
6+DrljSqwtnZvbKqM2kg1Mql068yuW1QREnns4jvGyBabKVbkqKz9pV5DteObCnK
fZoz9FMxFLbveLt1nfi3+YnYoCtKfKFT6B+6U75cHDaEgEzDiU4b/4DYQlY2yGUS
4z+3xg3goL6ue2pMUGMNtBYYXhBpKDlE42evWvP0TVRQm4KO7734rRmfyy1uui9f
HVAFcFIKtoACZzUux1zn5JpkByYjnc9nmbIOE6GNZHhX2sXn6LJns+mWZoeWzbeF
ZHDDK6Ci4sgaeb5eFCkVEwVL0dia5EddgYJIi0arwWYX1TTp6/epJccJn2EHmnMU
+ld/zL+srvgpFNkQZ623O3dJlDe3a1rJi9IXtisrLetj+PBRqSDiUwtEMHy840fO
rOv0MJUDsel6VHfWW6pKb7B51QnIiwZIfo8wC7nfzYFhs6s3JsVWHLjMc68g7kG+
TKqHaF8xfFrBxEtizZv2E3E5KX3jyCMtR+O6es6l7XFJvOxeusWHJMxDS1zu4quK
b9hfLEl8kyJVDjQjdr/QUvqwvnq+6N99oN3vvEQa3wrjzb4EnBO2M59j3Kui7wYc
mYtTnqshyzyxspgpOkGq9SVEKIMsTgVfIXk3rerENVyV0BZiuN7P7qQIYuC8QHSH
Jk6OqmDiq5o=
=8ggW
-----END PGP SIGNATURE-----