Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.2341
Security Bulletin: Multiple vulnerabilities affect IBM Rational products
6 October 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Rational Performance Tester
IBM Rational Collaborative Lifecycle Management
IBM Rational Quality Manager
IBM Rational Team Concert
IBM Rational DOORS Next Generation
IBM Rational Engineering Lifecycle Manager
IBM Rational Rhapsody Design Manager
IBM Rational Software Architect Design Manager
Publisher: IBM
Operating System: AIX
Linux variants
OS X
Windows
Apple iOS
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Modify Arbitrary Files -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2016-5983 CVE-2016-3674 CVE-2016-3485
CVE-2016-2947
Reference: ASB-2016.0074
ESB-2016.2276
ESB-2016.2135
ESB-2016.1911
Original Bulletin:
http://www.ibm.com/support/docview.wss?uid=swg21991877
http://www.ibm.com/support/docview.wss?uid=swg21991879
http://www.ibm.com/support/docview.wss?uid=swg21991477
http://www.ibm.com/support/docview.wss?uid=swg21991406
http://www.ibm.com/support/docview.wss?uid=swg21991476
Comment: This bulletin contains five (5) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational
Performance Tester (CVE-2016-3485)
Security Bulletin
Document information
More support for:
Rational Performance Tester
Test Execution
Software version:
8.3, 8.3.0.1, 8.3.0.2, 8.3.0.3, 8.5, 8.5.0.1, 8.5.0.2, 8.5.1, 8.5.1.1,
8.5.1.2, 8.5.1.3, 8.6, 8.6.0.1, 8.6.0.2, 8.7, 8.7.0.1, 8.7.0.2, 8.7.1,
8.7.1.1, 9.0.0, 9.0.0.1, 9.0.0.2
Operating system(s):
AIX, Linux, OS X, Windows
Reference #:
1991877
Modified date:
2016-10-05
Summary
There are multiple vulnerabilities in IBM SDK Java Technology Edition,
Version 7 and Version 8. These issues were disclosed as part of the IBM Java
SDK updates in July 2016.
Vulnerability Details
CVEID:
CVE-2016-3485
DESCRIPTION:
An unspecified vulnerability related to the Networking component has no
confidentiality impact, low integrity impact, and no availability impact.
CVSS Base Score: 2.9
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/115273
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
Affected Products and Versions
Rational Performance Tester versions 8.3, 8.5, 8.6, 8.7 and 9.0.
Remediation/Fixes
Upgrading to version 9.0.1 is strongly recommended.
Product VRMF APAR Remediation/First Fix
RPT Workbench 9.0 None Download
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=9.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java8SR3FP10&includeSupersedes=0&source=fc
RPT Agent 9.0 None Download
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=9.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR9FP50&includeSupersedes=0&source=fc
RPT 8.7 - 8.7.x None Download
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=9.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR9FP50&includeSupersedes=0&source=fc
RPT 8.6 - 8.6.x None Download
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=9.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR9FP50&includeSupersedes=0&source=fc
RPT 8.5 - 8.5.x None Download
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=9.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR9FP50&includeSupersedes=0&source=fc
RPT 8.3 -8.3.x None Download
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=9.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR9FP50&includeSupersedes=0&source=fc
Workarounds and Mitigations
None.
Get Notified about Future Security Bulletins
Subscribe to
My Notifications
to be notified of important product support alerts like this.
References
Complete CVSS v2 Guide
On-line Calculator v2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
5-Oct-2016: Original version published.
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- ---
Security Bulletin: : Multiple vulnerabilities in IBM Java SDK affect
Rational Service Tester (CVE-2016-3485)
Security Bulletin
Document information
More support for:
Rational Service Tester for SOA Quality
Test Execution
Software version:
8.3, 8.3.0.1, 8.3.0.2, 8.3.0.3, 8.5, 8.5.0.1, 8.5.0.2, 8.5.1, 8.5.1.1,
8.5.1.2, 8.5.1.3, 8.6, 8.6.0.1, 8.6.0.2, 8.7, 8.7.0.1, 8.7.0.2, 8.7.1,
8.7.1.1, 9.0.0
Operating system(s):
Linux, OS X, Windows
Reference #:
1991879
Modified date:
2016-10-05
Summary
There are multiple vulnerabilities in IBM SDK Java Technology Edition,
Version 7 and Version 8. These issues were disclosed as part of the IBM Java
SDK updates in July 2016.
Vulnerability Details
CVEID:
CVE-2016-3485
DESCRIPTION:
An unspecified vulnerability related to the Networking component has no
confidentiality impact, low integrity impact, and no availability impact.
CVSS Base Score: 2.9
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/115273
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
Affected Products and Versions
Rational Service Tester versions 8.3, 8.5, 8.6, 8.7 and 9.0.
Remediation/Fixes
Product VRMF APAR Remediation/First Fix
RST Workbench 9.0 None Download
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=9.0.0&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java8SR3FP10&includeSupersedes=0&source=fc
Agent 9.0 None Download
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=9.0.0&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java7SR9FP50&includeSupersedes=0&source=fc
RST 8.7 - 8.7.x None Download
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=9.0.0&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java7SR9FP50&includeSupersedes=0&source=fc
RST 8.6 - 8.6.x None Download
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=9.0.0&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java7SR9FP50&includeSupersedes=0&source=fc
RST 8.5 - 8.5.x None Download
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=9.0.0&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java7SR9FP50&includeSupersedes=0&source=fc
RST 8.3 -8.3.x None Download
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=9.0.0&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java7SR9FP50&includeSupersedes=0&source=fc
Workarounds and Mitigations
None.
Get Notified about Future Security Bulletins
Subscribe to
My Notifications
to be notified of important product support alerts like this.
References
Complete CVSS v2 Guide
On-line Calculator v2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
05-Oct-2016: Original version published.
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- ---
Security Bulletin: Vulnerability affects multiple IBM Rational products based
on IBM Jazz technology (CVE-2016-2947)
Security Bulletin
Document information
More support for:
Rational Collaborative Lifecycle Management
General Information
Software version:
4.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 5.0, 5.0.1, 5.0.2, 6.0,
6.0.1, 6.0.2
Operating system(s):
AIX, Linux, Solaris, Windows, iOS
Reference #:
1991477
Modified date:
2016-10-05
Summary
An undisclosed information disclosure vulnerability in the IBM Jazz
Foundation affects the following IBM Jazz based Applications: Collaborative
Lifecycle Management (CLM), Rational DOORS Next Generation (RDNG), Rational
Engineering Lifecycle Manager (RELM), Rational Team Concert (RTC), Rational
Quality Manager (RQM), Rational Rhapsody Design Manager (Rhapsody DM), and
Rational Software Architect (RSA DM).
Vulnerability Details
CVEID:
CVE-2016-2947
DESCRIPTION:
An undisclosed information disclosure vulnerability exists in the Jazz
Foundation products.
CVSS Base Score: 2.7
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/113594
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
Rational Collaborative Lifecycle Management 4.0 - 6.0.2
Rational Quality Manager 4.0 - 4.0.7
Rational Quality Manager 5.0 - 5.0.2
Rational Quality Manager 6.0 - 6.0.2
Rational Team Concert 4.0 - 4.0.7
Rational Team Concert 5.0 - 5.0.2
Rational Team Concert 6.0 - 6.0.2
Rational DOORS Next Generation 4.0 - 4.0.7
Rational DOORS Next Generation 5.0 - 5.0.2
Rational DOORS Next Generation 6.0 - 6.0.2
Rational Engineering Lifecycle Manager 4.0.3 - 4.0.7
Rational Engineering Lifecycle Manager 5.0 - 5.0.2
Rational Engineering Lifecycle Manager 6.0 - 6.0.2
Rational Rhapsody Design Manager 4.0 - 4.0.7
Rational Rhapsody Design Manager 5.0 - 5.0.2
Rational Rhapsody Design Manager 6.0 - 6.0.2
Rational Software Architect Design Manager 4.0 - 4.0.7
Rational Software Architect Design Manager 5.0 - 5.0.2
Rational Software Architect Design Manager 6.0 - 6.0.2
Remediation/Fixes
For the 6.0.x releases, upgrade to version 6.0.2 ifix5 or later
Rational Collaborative Lifecycle Management 6.0.2 iFix5
Rational Team Concert 6.0.2 iFix5
Rational Quality Manager 6.0.2 iFix5
Rational DOORS Next Generation 6.0.2 iFix5
Rational Software Architect Design Manager:
Upgrade to version 6.0.2 and install server from
CLM 6.0.2 iFix5
Rational Rhapsody Design Manager:
Upgrade to version 6.0.2 and install server from
CLM 6.0.2 iFix5
Rational Engineering Lifecycle Manager:
Upgrade to version
RELM 6.0.2
install server from
CLM 6.0.2 iFix5
Rational Collaborative Lifecycle Management 5.0.2 iFix18
Rational Team Concert 5.0.2 iFix18
Rational Quality Manager 5.0.2 iFix18
Rational DOORS Next Generation 5.0.2 iFix18
Rational Software Architect Design Manager:
Upgrade to version 5.0.2 and install server from
CLM 5.0.2 iFix18
Rational Rhapsody Design Manager:
Upgrade to version 5.0.2 and install server from
CLM 5.0.2 iFix18
Rational Engineering Lifecycle Manager:
Upgrade to version 5.0.2 and install install server from
CLM 5.0.2 iFix18
Rational Collaborative Lifecycle Management 4.0.7 iFix11
Rational Team Concert 4.0.7 iFix11
Rational Quality Manager 4.0.7 iFix11
Rational DOORS Next Generation/Requirements Composer 4.0.7 iFix11
Rational Software Architect Design Manager:
Upgrade to version 4.0.7 and install server from
CLM 4.0.7 iFix11
Rational Rhapsody Design Manager: Upgrade to version 4.0.7 and install server
from
CLM 4.0.7 iFix11
Rational Engineering Lifecycle Manager: Upgrade to version 4.0.7 and install
server from
CLM 4.0.7 iFix11
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
Subscribe to
My Notifications
to be notified of important product support alerts like this.
Important note
IBM strongly suggests that all System z customers be subscribed to the System
z Security Portal to receive the latest critical System z security and
integrity service. If you are not subscribed, see the instructions on the
System z Security web site
Security and integrity APARs and associated fixes will be posted to this
portal. IBM suggests reviewing the CVSS scores and applying all security or
integrity fixes as soon as possible to minimize any potential risk.
References
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
05 October 2016: Initial Publication
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- ---
Security Bulletin: XStream XML information discloure vulnerability affects
IBM Rational Quality Manager (CVE-2016-3674)
Security Bulletin
Document information
More support for:
Rational Quality Manager
General Information
Software version:
3.0.1.6, 4.0, 4.0.0.1, 4.0.0.2, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6,
4.0.7, 5.0, 5.0.1, 5.0.2, 6.0, 6.0.1, 6.0.2
Operating system(s):
AIX, Linux, Solaris, Windows
Reference #:
1991406
Modified date:
2016-10-05
Summary
XStream XML information discloure in XStream libraries shipped with IBM
Rational Quality Manager could allow a remote attacker to obtain sensitive
information.
Vulnerability Details
CVEID:
CVE-2016-3674
DESCRIPTION:
XStream libraries shipped with
IBM Rational Quality Manager could allow a remote attacker to obtain
sensitive information, caused by an error when processing XML external
entities. By sending specially-crafted XML data, an attacker could exploit
this vulnerability to obtain sensitive information.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/111806
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
Rational Collaborative Lifecycle Management 4.0.0 - 6.0.2
Rational Quality Manager 6.0 - 6.0.2
Rational Quality Manager 5.0 - 5.0.2
Rational Quality Manager 4.0 - 4.0.7
Rational Quality Manager 3.0.1.6
Remediation/Fixes
Note: In the instructions below, replace Y.Y.Y with the product version you
have deployed. For example, replace Y.Y.Y with 6.0.2 if that is the version
deployed.
For jars with X.X.XXX.vXXX in the instructions below, the X's will be
dependent on your exact version. Use the version that is deployed.
1. Get the xStream library 1.4.9 version from
http://x-stream.github.io/download.html
2. Go to the rqm-update-site\plugins folder in your CLM installation path:
C:\<installation directory>\server\conf\qm\sites\rqm-update-site
3. Locate the jar file: com.ibm.rational.test.lm.service_X.X.XXX.vXXX.jar
a. Make a backup
b. Open the jar and from inside
c. Delete the files:
xstream-Y.Y.Y.jar
and
xstream-SNAPSHOT.jar
d. Copy the new xStream library the same place (xstream-1.4.9.jar)
e. Edit the build.properties file.
i. Delete the following lines:
xstream-Y.Y.Y.jar,\
and
xstream-SNAPSHOT.jar,\
ii. Add the following line in the same place:
xstream-1.4.9.jar,\
f. Edit the META-INF\MANIFEST.MF file.
i. Delete the following lines:
xstream-Y.Y.Y.jar,
and
xstream-SNAPSHOT.jar,
ii. Add the following line in the same place:
xstream-1.4.9.jar,
a. Make a backup
b. Open the jar and from inside
c. Delete the files:
lib\xstream-Y.Y.Y.jar
d. Copy the new xStream library the same place (xstream-1.4.9.jar)
e. Edit the build.properties file.
i. Delete the following lines:
lib/xstream-Y.Y.Y.jar,\
ii. Add the following line in the same place:
lib/xstream-1.4.9.jar,\
f. Edit the META-INF\MANIFEST.MF file.
i. Delete the following lines:
lib/xstream-Y.Y.Y.jar,
ii. Add the following line in the same place:
lib/xstream-1.4.9.jar,
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
Subscribe to
My Notifications
to be notified of important product support alerts like this.
Important note
IBM strongly suggests that all System z customers be subscribed to the System
z Security Portal to receive the latest critical System z security and
integrity service. If you are not subscribed, see the instructions on the
System z Security web site
Security and integrity APARs and associated fixes will be posted to this
portal. IBM suggests reviewing the CVSS scores and applying all security or
integrity fixes as soon as possible to minimize any potential risk.
References
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
05 October 2016: Original version published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- ---
Security Bulletin: Code execution vulnerability in WebSphere Application
Server affects multiple IBM Rational products based on IBM Jazz technology
(CVE-2016-5983)
Security Bulletin
Document information
More support for:
Rational Collaborative Lifecycle Management
General Information
Software version:
4.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 5.0, 5.0.1, 5.0.2, 6.0,
6.0.1, 6.0.2
Operating system(s):
AIX, Linux, Solaris, Windows, iOS
Reference #:
1991476
Modified date:
2016-10-05
Summary
Code Execution vulnerability in WebSphere Application Server bundled with IBM
Jazz Team Server based Applications affects multiple products: Collaborative
Lifecycle Management (CLM), Rational DOORS Next Generation (RDNG), Rational
Engineering Lifecycle Manager (RELM), Rational Team Concert (RTC), Rational
Quality Manager (RQM), Rational Rhapsody Design Manager (Rhapsody DM), and
Rational Software Architect (RSA DM).
Vulnerability Details
CVEID:
CVE-2016-5983
DESCRIPTION:
IBM WebSphere Application Server could allow remote attackers to execute
arbitrary Java code with a serialized object from untrusted sources.
CVSS Base Score: 7.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/116468
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
Rational Collaborative Lifecycle Management 4.0 - 6.0.2
Rational Quality Manager 4.0 - 4.0.7
Rational Quality Manager 5.0 - 5.0.2
Rational Quality Manager 6.0 - 6.0.2
Rational Team Concert 4.0 - 4.0.7
Rational Team Concert 5.0 - 5.0.2
Rational Team Concert 6.0 - 6.0.2
Rational DOORS Next Generation 4.0.1 - 4.0.7
Rational DOORS Next Generation 5.0 - 5.0.2
Rational DOORS Next Generation 6.0 - 6.0.2
Rational Engineering Lifecycle Manager 4.0.3 - 4.0.7
Rational Engineering Lifecycle Manager 5.0 - 5.0.2
Rational Engineering Lifecycle Manager 6.0 - 6.0.2
Rational Rhapsody Design Manager 4.0 - 4.0.7
Rational Rhapsody Design Manager 5.0 - 5.0.2
Rational Rhapsody Design Manager 6.0 - 6.0.2
Rational Software Architect Design Manager 4.0 - 4.0.7
Rational Software Architect Design Manager 5.0 - 5.0.2
Rational Software Architect Design Manager 6.0 - 6.0.2
Remediation/Fixes
The IBM Jazz Team Server based Applications bundle different versions of IBM
WebSphere Application Server and IBM WebSphere Application Server Liberty
with the available versions of the products, and in addition to the bundled
version some previous versions of WAS are also supported. For a remediation
follow the WAS security bulletin appropriately:
1. Review the Security Bulletin: Code execution vulnerability in WebSphere
Application Server (CVE-2016-5983) for vulnerability details.
2. Check the version of WAS, if any, that your deployment is actually using,
and compare it against the list of affected versions in the security bulletin.
3. Review the Remediation/Fixes section in the Security Bulletin: Code
execution vulnerability in WebSphere Application Server (CVE-2016-5983) for
available fixes in the version that you are using.
- - NOTE: When installing the fixed WAS Liberty package use
<JazzInstallLocation>/server/liberty/wlp as the location of the WAS Liberty
installation, where <JazzInstallLocation> is the root folder of your CLM
installation.
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
Subscribe to
My Notifications
to be notified of important product support alerts like this.
Important note
IBM strongly suggests that all System z customers be subscribed to the System
z Security Portal to receive the latest critical System z security and
integrity service. If you are not subscribed, see the instructions on the
System z Security web site
Security and integrity APARs and associated fixes will be posted to this
portal. IBM suggests reviewing the CVSS scores and applying all security or
integrity fixes as soon as possible to minimize any potential risk.
References
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
05 October 2016: Initial Publication
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBV/X/7Ix+lLeg9Ub1AQgmNhAApihx8ONuKUmXwAjhFogP/i1n7v+YRT2i
/VwUYqM7NePZ0kUiFyMEuoTfVyPLMGFEAz41pNvmYV/brCNWxSc0C2VLL99Bu4rV
scwY4xcoBkNi53ZCvlQGn1CLHm+Rn/Nt8394RCWa5CkZPnGA4sngBKJh/K0XMTEQ
vku9u36gMFNZbb+mLaqVpvyNFEiPBIC2WkyGY4/hWu2l7FWu0Us5NG0HNPMJQ3Ti
UEzwU+I0mY6TxATonJeJSbg9ZNRrcnSShK8uGS6WPL8XiQDZf6s6oNqt165e0Jxm
olUBJKrSbda859s3YpTzMpE/pPvtzlZnrKsr84GVAVO+U0Qm5uNIs2fgZ8eKWGA2
4CUaJ2REJSfUkaghfpWVCQHbQ4tKPf19UteB1CwT7kAIsBLdQjfy/6ebz9SLH4Dk
hSjL431IQ9oWxpo12ugJRelb8OU8Dbb3SggSKm/4Bz2czes7+e2gEKKrWzdGsuO6
d2wcOZdoWvhooCjrFzw2W26kMVb66frLlRxJX3aMzIhBhbPkq9hGrzI1NPG9QvQp
7R8H3brB467uUgLfNJYMumFmIzdyDdZnmQPXYYo2ffphZTcEWJhYcDqjxODB1VMw
OiNwOsoKfOazH4bKZ6z0cHfbqDjjCEY0cKKC7dWi5OWbfcsf2wL04IhV6l7MWeIk
tatF5zDitdU=
=8Bmh
-----END PGP SIGNATURE-----