Security Bulletin: Cross-site Scripting vulnerability affects Rational Engineering Lifecycle Manager

Summary

Rational Engineering Lifecycle Manager is vulnerable to a cross-site scripting attack with potential for credentials disclosure within a trusted session.

Vulnerability Details

CVEID: CVE-2017-1168**
DESCRIPTION:** IBM RELM is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123187 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Rational Engineering Lifecycle Manager 4.0.3 - 4.0.7
Rational Engineering Lifecycle Manager 5.0 - 5.0.2
Rational Engineering Lifecycle Manager 6.0 - 6.0.3

Note: 6.0.4 release is not affected.

Remediation/Fixes

For 6.0 - 6.0.3 releases, upgrade to one of the following versions:

• Upgrade to 6.0.2 ifix11 or later:

1. Get the CLM ifix11 or later from: CLM 6.0.2 iFix11
2. Start the package installation and select RELM when asked about the products to be updated.

• Or upgrade to version 6.0.4 or later:

  • https://jazz.net/downloads/rational-engineering-lifecycle-manager/

• • For the 5.x releases, upgrade to version 5.0.2 iFix02 or later

  • Rational Engineering Lifecycle Manager 5.0.2 iFix02

  • For the 4.x releases, and any prior versions of the products listed above, IBM recommends upgrading to a fixed, supported version/release/platform of the product.

If the iFix is not found in the Fix Portal please contact IBM Support.

Workarounds and Mitigations

None