-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.2341
 Security Bulletin: Multiple vulnerabilities affect IBM Rational products
                              6 October 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Rational Performance Tester
                   IBM Rational Collaborative Lifecycle Management
                   IBM Rational Quality Manager
                   IBM Rational Team Concert
                   IBM Rational DOORS Next Generation
                   IBM Rational Engineering Lifecycle Manager
                   IBM Rational Rhapsody Design Manager
                   IBM Rational Software Architect Design Manager
Publisher:         IBM
Operating System:  AIX
                   Linux variants
                   OS X
                   Windows
                   Apple iOS
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account      
                   Modify Arbitrary Files          -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-5983 CVE-2016-3674 CVE-2016-3485
                   CVE-2016-2947  

Reference:         ASB-2016.0074
                   ESB-2016.2276
                   ESB-2016.2135
                   ESB-2016.1911

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=swg21991877
   http://www.ibm.com/support/docview.wss?uid=swg21991879
   http://www.ibm.com/support/docview.wss?uid=swg21991477
   http://www.ibm.com/support/docview.wss?uid=swg21991406
   http://www.ibm.com/support/docview.wss?uid=swg21991476

Comment: This bulletin contains five (5) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational
Performance Tester (CVE-2016-3485)

Security Bulletin

Document information

More support for:

Rational Performance Tester

Test Execution

Software version:

8.3, 8.3.0.1, 8.3.0.2, 8.3.0.3, 8.5, 8.5.0.1, 8.5.0.2, 8.5.1, 8.5.1.1,
8.5.1.2, 8.5.1.3, 8.6, 8.6.0.1, 8.6.0.2, 8.7, 8.7.0.1, 8.7.0.2, 8.7.1,
8.7.1.1, 9.0.0, 9.0.0.1, 9.0.0.2

Operating system(s):

AIX, Linux, OS X, Windows

Reference #:

1991877

Modified date:

2016-10-05

Summary

There are multiple vulnerabilities in IBM SDK Java Technology Edition,
Version 7 and Version 8. These issues were disclosed as part of the IBM Java
SDK updates in July 2016.

Vulnerability Details

CVEID:

CVE-2016-3485

DESCRIPTION:

An unspecified vulnerability related to the Networking component has no
confidentiality impact, low integrity impact, and no availability impact.

CVSS Base Score: 2.9

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/115273

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Rational Performance Tester versions 8.3, 8.5, 8.6, 8.7 and 9.0.

Remediation/Fixes

Upgrading to version 9.0.1 is strongly recommended.

Product        VRMF         APAR    Remediation/First Fix
RPT Workbench  9.0          None    Download
                                    http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=9.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java8SR3FP10&includeSupersedes=0&source=fc
RPT Agent      9.0          None    Download
                                    http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=9.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR9FP50&includeSupersedes=0&source=fc
RPT            8.7 - 8.7.x  None    Download
                                    http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=9.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR9FP50&includeSupersedes=0&source=fc
RPT            8.6 - 8.6.x  None    Download
                                    http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=9.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR9FP50&includeSupersedes=0&source=fc
RPT            8.5 - 8.5.x  None    Download
                                    http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=9.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR9FP50&includeSupersedes=0&source=fc
RPT            8.3 -8.3.x   None    Download
                                    http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=9.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR9FP50&includeSupersedes=0&source=fc

Workarounds and Mitigations

None.

Get Notified about Future Security Bulletins

Subscribe to

My Notifications

to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide

On-line Calculator v2

Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

Change History

5-Oct-2016: Original version published.

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- ---

Security Bulletin: :  Multiple vulnerabilities in IBM Java SDK affect
Rational Service Tester (CVE-2016-3485)

Security Bulletin

Document information

More support for:

Rational Service Tester for SOA Quality

Test Execution

Software version:

8.3, 8.3.0.1, 8.3.0.2, 8.3.0.3, 8.5, 8.5.0.1, 8.5.0.2, 8.5.1, 8.5.1.1,
8.5.1.2, 8.5.1.3, 8.6, 8.6.0.1, 8.6.0.2, 8.7, 8.7.0.1, 8.7.0.2, 8.7.1,
8.7.1.1, 9.0.0

Operating system(s):

Linux, OS X, Windows

Reference #:

1991879

Modified date:

2016-10-05

Summary

There are multiple vulnerabilities in IBM SDK Java Technology Edition,
Version 7 and Version 8. These issues were disclosed as part of the IBM Java
SDK updates in July 2016.

Vulnerability Details

CVEID:

CVE-2016-3485

DESCRIPTION:

An unspecified vulnerability related to the Networking component has no
confidentiality impact, low integrity impact, and no availability impact.

CVSS Base Score: 2.9

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/115273

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Rational Service Tester versions 8.3, 8.5, 8.6, 8.7 and 9.0.

Remediation/Fixes

Product        VRMF         APAR    Remediation/First Fix
RST Workbench  9.0          None    Download
                                    http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=9.0.0&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java8SR3FP10&includeSupersedes=0&source=fc
Agent          9.0          None    Download
                                    http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=9.0.0&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java7SR9FP50&includeSupersedes=0&source=fc
RST            8.7 - 8.7.x  None    Download
                                    http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=9.0.0&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java7SR9FP50&includeSupersedes=0&source=fc
RST            8.6 - 8.6.x  None    Download
                                    http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=9.0.0&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java7SR9FP50&includeSupersedes=0&source=fc
RST            8.5 - 8.5.x  None    Download
                                    http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=9.0.0&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java7SR9FP50&includeSupersedes=0&source=fc
RST            8.3 -8.3.x   None    Download
                                    http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=9.0.0&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java7SR9FP50&includeSupersedes=0&source=fc

Workarounds and Mitigations

None.

Get Notified about Future Security Bulletins

Subscribe to

My Notifications

to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide

On-line Calculator v2

Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

Change History

05-Oct-2016: Original version published.

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- ---

Security Bulletin: Vulnerability affects multiple IBM Rational products based
on IBM Jazz technology (CVE-2016-2947)

Security Bulletin

Document information

More support for:

Rational Collaborative Lifecycle Management

General Information

Software version:

4.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 5.0, 5.0.1, 5.0.2, 6.0,
6.0.1, 6.0.2

Operating system(s):

AIX, Linux, Solaris, Windows, iOS

Reference #:

1991477

Modified date:

2016-10-05

Summary

An undisclosed information disclosure vulnerability in the IBM Jazz
Foundation affects the following IBM Jazz based Applications: Collaborative
Lifecycle Management (CLM), Rational DOORS Next Generation (RDNG), Rational
Engineering Lifecycle Manager (RELM), Rational Team Concert (RTC), Rational
Quality Manager (RQM), Rational Rhapsody Design Manager (Rhapsody DM), and
Rational Software Architect (RSA DM).

Vulnerability Details

CVEID:

CVE-2016-2947

DESCRIPTION:

An undisclosed information disclosure vulnerability exists in the Jazz
Foundation products.

CVSS Base Score: 2.7

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/113594

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Rational Collaborative Lifecycle Management 4.0 - 6.0.2

Rational Quality Manager 4.0 - 4.0.7

Rational Quality Manager 5.0 - 5.0.2

Rational Quality Manager 6.0 - 6.0.2

Rational Team Concert 4.0 - 4.0.7

Rational Team Concert 5.0 - 5.0.2

Rational Team Concert 6.0 - 6.0.2

Rational DOORS Next Generation 4.0 - 4.0.7

Rational DOORS Next Generation 5.0 - 5.0.2

Rational DOORS Next Generation 6.0 - 6.0.2

Rational Engineering Lifecycle Manager 4.0.3 - 4.0.7

Rational Engineering Lifecycle Manager 5.0 - 5.0.2

Rational Engineering Lifecycle Manager 6.0 - 6.0.2

Rational Rhapsody Design Manager 4.0 - 4.0.7

Rational Rhapsody Design Manager 5.0 - 5.0.2

Rational Rhapsody Design Manager 6.0 - 6.0.2

Rational Software Architect Design Manager 4.0 - 4.0.7

Rational Software Architect Design Manager 5.0 - 5.0.2

Rational Software Architect Design Manager 6.0 - 6.0.2

Remediation/Fixes

For the 6.0.x releases, upgrade to version 6.0.2 ifix5 or later

Rational Collaborative Lifecycle Management 6.0.2 iFix5

Rational Team Concert 6.0.2 iFix5

Rational Quality Manager 6.0.2 iFix5

Rational DOORS Next Generation 6.0.2 iFix5

Rational Software Architect Design Manager:

Upgrade to version 6.0.2 and install server from

CLM 6.0.2 iFix5

Rational Rhapsody Design Manager:

Upgrade to version 6.0.2 and install server from

CLM 6.0.2 iFix5

Rational Engineering Lifecycle Manager:

Upgrade to version

RELM 6.0.2

install server from

CLM 6.0.2 iFix5

Rational Collaborative Lifecycle Management 5.0.2 iFix18

Rational Team Concert 5.0.2 iFix18

Rational Quality Manager 5.0.2 iFix18

Rational DOORS Next Generation 5.0.2 iFix18

Rational Software Architect Design Manager:

Upgrade to version 5.0.2 and install server from

CLM 5.0.2 iFix18

Rational Rhapsody Design Manager:

Upgrade to version 5.0.2 and install server from

CLM 5.0.2 iFix18

Rational Engineering Lifecycle Manager:

Upgrade to version 5.0.2 and install install server from

CLM 5.0.2 iFix18

Rational Collaborative Lifecycle Management 4.0.7 iFix11

Rational Team Concert 4.0.7 iFix11

Rational Quality Manager 4.0.7 iFix11

Rational DOORS Next Generation/Requirements Composer 4.0.7 iFix11

Rational Software Architect Design Manager:

Upgrade to version 4.0.7 and install server from

CLM 4.0.7 iFix11

Rational Rhapsody Design Manager: Upgrade to version 4.0.7 and install server
from

CLM 4.0.7 iFix11

Rational Engineering Lifecycle Manager: Upgrade to version 4.0.7 and install
server from

CLM 4.0.7 iFix11

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to

My Notifications

to be notified of important product support alerts like this.

Important note

IBM strongly suggests that all System z customers be subscribed to the System
z Security Portal to receive the latest critical System z security and
integrity service. If you are not subscribed, see the instructions on the

System z Security web site

Security and integrity APARs and associated fixes will be posted to this
portal. IBM suggests reviewing the CVSS scores and applying all security or
integrity fixes as soon as possible to minimize any potential risk.

References

Complete CVSS v3 Guide

On-line Calculator v3

Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

Change History

05 October 2016: Initial Publication

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- ---

Security Bulletin: XStream XML information discloure vulnerability affects
IBM Rational Quality Manager (CVE-2016-3674)

Security Bulletin

Document information

More support for:

Rational Quality Manager

General Information

Software version:

3.0.1.6, 4.0, 4.0.0.1, 4.0.0.2, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6,
4.0.7, 5.0, 5.0.1, 5.0.2, 6.0, 6.0.1, 6.0.2

Operating system(s):

AIX, Linux, Solaris, Windows

Reference #:

1991406

Modified date:

2016-10-05

Summary

XStream XML information discloure in XStream libraries shipped with IBM
Rational Quality Manager could allow a remote attacker to obtain sensitive
information.

Vulnerability Details

CVEID:

CVE-2016-3674

DESCRIPTION:

XStream libraries shipped with

IBM Rational Quality Manager could allow a remote attacker to obtain
sensitive information, caused by an error when processing XML external
entities. By sending specially-crafted XML data, an attacker could exploit
this vulnerability to obtain sensitive information.

CVSS Base Score: 5.3

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/111806

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Rational Collaborative Lifecycle Management 4.0.0 - 6.0.2

Rational Quality Manager 6.0 - 6.0.2

Rational Quality Manager 5.0 - 5.0.2

Rational Quality Manager 4.0 - 4.0.7

Rational Quality Manager 3.0.1.6

Remediation/Fixes

Note: In the instructions below, replace Y.Y.Y with the product version you
have deployed. For example, replace Y.Y.Y with 6.0.2 if that is the version
deployed.

For jars with X.X.XXX.vXXX in the instructions below, the X's will be
dependent on your exact version. Use the version that is deployed.

1. Get the xStream library 1.4.9 version from

http://x-stream.github.io/download.html

2. Go to the rqm-update-site\plugins folder in your CLM installation path:

C:\<installation directory>\server\conf\qm\sites\rqm-update-site

3. Locate the jar file: com.ibm.rational.test.lm.service_X.X.XXX.vXXX.jar

a. Make a backup

b. Open the jar and from inside

c. Delete the files:

xstream-Y.Y.Y.jar

and

xstream-SNAPSHOT.jar

d. Copy the new xStream library the same place (xstream-1.4.9.jar)

e. Edit the build.properties file.

i. Delete the following lines:

xstream-Y.Y.Y.jar,\

and

xstream-SNAPSHOT.jar,\

ii. Add the following line in the same place:

xstream-1.4.9.jar,\

f. Edit the META-INF\MANIFEST.MF file.

i. Delete the following lines:

xstream-Y.Y.Y.jar,

and

xstream-SNAPSHOT.jar,

ii. Add the following line in the same place:

xstream-1.4.9.jar,

a. Make a backup

b. Open the jar and from inside

c. Delete the files:

lib\xstream-Y.Y.Y.jar

d. Copy the new xStream library the same place (xstream-1.4.9.jar)

e. Edit the build.properties file.

i. Delete the following lines:

lib/xstream-Y.Y.Y.jar,\

ii. Add the following line in the same place:

lib/xstream-1.4.9.jar,\

f. Edit the META-INF\MANIFEST.MF file.

i. Delete the following lines:

lib/xstream-Y.Y.Y.jar,

ii. Add the following line in the same place:

lib/xstream-1.4.9.jar,

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to

My Notifications

to be notified of important product support alerts like this.

Important note

IBM strongly suggests that all System z customers be subscribed to the System
z Security Portal to receive the latest critical System z security and
integrity service. If you are not subscribed, see the instructions on the

System z Security web site

Security and integrity APARs and associated fixes will be posted to this
portal. IBM suggests reviewing the CVSS scores and applying all security or
integrity fixes as soon as possible to minimize any potential risk.

References

Complete CVSS v3 Guide

On-line Calculator v3

Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

Change History

05 October 2016: Original version published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- ---

Security Bulletin: Code execution vulnerability in WebSphere Application
Server affects multiple IBM Rational products based on IBM Jazz technology
(CVE-2016-5983)

Security Bulletin

Document information

More support for:

Rational Collaborative Lifecycle Management

General Information

Software version:

4.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 5.0, 5.0.1, 5.0.2, 6.0,
6.0.1, 6.0.2

Operating system(s):

AIX, Linux, Solaris, Windows, iOS

Reference #:

1991476

Modified date:

2016-10-05

Summary

Code Execution vulnerability in WebSphere Application Server bundled with IBM
Jazz Team Server based Applications affects multiple products: Collaborative
Lifecycle Management (CLM), Rational DOORS Next Generation (RDNG), Rational
Engineering Lifecycle Manager (RELM), Rational Team Concert (RTC), Rational
Quality Manager (RQM), Rational Rhapsody Design Manager (Rhapsody DM), and
Rational Software Architect (RSA DM).

Vulnerability Details

CVEID:

CVE-2016-5983

DESCRIPTION:

IBM WebSphere Application Server could allow remote attackers to execute
arbitrary Java code with a serialized object from untrusted sources.

CVSS Base Score: 7.5

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/116468

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Rational Collaborative Lifecycle Management 4.0 - 6.0.2

Rational Quality Manager 4.0 - 4.0.7

Rational Quality Manager 5.0 - 5.0.2

Rational Quality Manager 6.0 - 6.0.2

Rational Team Concert 4.0 - 4.0.7

Rational Team Concert 5.0 - 5.0.2

Rational Team Concert 6.0 - 6.0.2

Rational DOORS Next Generation 4.0.1 - 4.0.7

Rational DOORS Next Generation 5.0 - 5.0.2

Rational DOORS Next Generation 6.0 - 6.0.2

Rational Engineering Lifecycle Manager 4.0.3 - 4.0.7

Rational Engineering Lifecycle Manager 5.0 - 5.0.2

Rational Engineering Lifecycle Manager 6.0 - 6.0.2

Rational Rhapsody Design Manager 4.0 - 4.0.7

Rational Rhapsody Design Manager 5.0 - 5.0.2

Rational Rhapsody Design Manager 6.0 - 6.0.2

Rational Software Architect Design Manager 4.0 - 4.0.7

Rational Software Architect Design Manager 5.0 - 5.0.2

Rational Software Architect Design Manager 6.0 - 6.0.2

Remediation/Fixes

The IBM Jazz Team Server based Applications bundle different versions of IBM
WebSphere Application Server and IBM WebSphere Application Server Liberty
with the available versions of the products, and in addition to the bundled
version some previous versions of WAS are also supported. For a remediation
follow the WAS security bulletin appropriately:

1. Review the Security Bulletin: Code execution vulnerability in WebSphere 
Application Server (CVE-2016-5983) for vulnerability details.

2. Check the version of WAS, if any, that your deployment is actually using, 
and compare it against the list of affected versions in the security bulletin.

3. Review the Remediation/Fixes section in the Security Bulletin: Code 
execution vulnerability in WebSphere Application Server (CVE-2016-5983) for 
available fixes in the version that you are using.

- - NOTE: When installing the fixed WAS Liberty package use
<JazzInstallLocation>/server/liberty/wlp as the location of the WAS Liberty
installation, where <JazzInstallLocation> is the root folder of your CLM
installation.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to

My Notifications

to be notified of important product support alerts like this.

Important note

IBM strongly suggests that all System z customers be subscribed to the System
z Security Portal to receive the latest critical System z security and
integrity service. If you are not subscribed, see the instructions on the

System z Security web site

Security and integrity APARs and associated fixes will be posted to this
portal. IBM suggests reviewing the CVSS scores and applying all security or
integrity fixes as soon as possible to minimize any potential risk.

References

Complete CVSS v3 Guide

On-line Calculator v3

Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

Change History

05 October 2016: Initial Publication

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBV/X/7Ix+lLeg9Ub1AQgmNhAApihx8ONuKUmXwAjhFogP/i1n7v+YRT2i
/VwUYqM7NePZ0kUiFyMEuoTfVyPLMGFEAz41pNvmYV/brCNWxSc0C2VLL99Bu4rV
scwY4xcoBkNi53ZCvlQGn1CLHm+Rn/Nt8394RCWa5CkZPnGA4sngBKJh/K0XMTEQ
vku9u36gMFNZbb+mLaqVpvyNFEiPBIC2WkyGY4/hWu2l7FWu0Us5NG0HNPMJQ3Ti
UEzwU+I0mY6TxATonJeJSbg9ZNRrcnSShK8uGS6WPL8XiQDZf6s6oNqt165e0Jxm
olUBJKrSbda859s3YpTzMpE/pPvtzlZnrKsr84GVAVO+U0Qm5uNIs2fgZ8eKWGA2
4CUaJ2REJSfUkaghfpWVCQHbQ4tKPf19UteB1CwT7kAIsBLdQjfy/6ebz9SLH4Dk
hSjL431IQ9oWxpo12ugJRelb8OU8Dbb3SggSKm/4Bz2czes7+e2gEKKrWzdGsuO6
d2wcOZdoWvhooCjrFzw2W26kMVb66frLlRxJX3aMzIhBhbPkq9hGrzI1NPG9QvQp
7R8H3brB467uUgLfNJYMumFmIzdyDdZnmQPXYYo2ffphZTcEWJhYcDqjxODB1VMw
OiNwOsoKfOazH4bKZ6z0cHfbqDjjCEY0cKKC7dWi5OWbfcsf2wL04IhV6l7MWeIk
tatF5zDitdU=
=8Bmh
-----END PGP SIGNATURE-----