IBM152DBBBD89777F049F222CCBB92B4558AF83750C87593C90CA6D85B18A25D750Security Bulletin: Multiple vulnerabilites affect IBM Engineering products.
0.974 High
EPSS
Percentile
99.9%
Summary
There are multiple vulnerabilities that are used by IBM Jazz Team Server affecting the following IBM Jazz Team Server based Applications: Engineering Lifecycle Management (ELM), Global Configuration Management (GCM), IBM Engineering Requirements Management DOORS Next (DOORS Next), IBM Engineering Requirements Quality Assistant On-Premises (RQA On-Prem), IBM Engineering Lifecycle Optimization - Engineering Insights (ENI), IBM Engineering Workflow Management (EWM), IBM Engineering Systems Design Rhapsody - Design Manager (RDM), IBM Engineering Systems Design Rhapsody - Model Manager (RMM).
Vulnerability Details
CVEID:CVE-2020-4857
**DESCRIPTION:**IBM Engineering Requirements Management DOORS Next is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 6.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/190460 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)
CVEID:CVE-2020-4866
**DESCRIPTION:**IBM Engineering Workflow Management is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/190742 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
CVEID:CVE-2021-20350
**DESCRIPTION:**IBM Engineering Requirements Quality Assistant is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/194707 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
CVEID:CVE-2009-4269
**DESCRIPTION:**Apache Derby could allow a remote attacker to obtain sensitive information, caused by the reduction of the size of the set of inputs to SHA-1 by the password hash generation algorithm managed by the BUILTIN authentication functionality. By generating hash collisions, a remote attacker could exploit this vulnerability to crack passwords and obtain sensitive information.
CVSS Base score: 2.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/61202 for the current score.
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)
CVEID:CVE-2015-1832
**DESCRIPTION:**Apache Derby could allow a remote attacker to obtain sensitive information, caused by a XML external entity (XXE) error when processing XML data by the XML datatype and XmlVTI. An attacker could exploit this vulnerability to read arbitrary files on the system or cause a denial of service.
CVSS Base score: 6.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/115625 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P)
CVEID:CVE-2018-1313
**DESCRIPTION:**Apache Derby could allow a remote attacker to bypass security restrictions, caused by improper validation of network packets received. By sending a specially-crafted network packet, an attacker could exploit this vulnerability to boot a database whose location and contents are under the user’s control.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/142898 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID:CVE-2021-20340
**DESCRIPTION:**IBM Engineering Test Management is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/194451 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
CVEID:CVE-2020-4975
**DESCRIPTION:**IBM Jazz Foundation is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192435 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
CVEID:CVE-2020-4863
**DESCRIPTION:**IBM Engineering Test Management is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 6.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/190566 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)
CVEID:CVE-2020-26217
**DESCRIPTION:**XStream could allow a remote attacker to execute arbitrary code on the system, caused by flaws in the XStream.java and SecurityVulnerabilityTest.java scripts. By manipulating the processed input stream, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192210 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID:CVE-2021-2069
**DESCRIPTION:**An unspecified vulnerability in Oracle Outside In Technology related to the Outside In Filters component could allow an unauthenticated attacker to cause low confidentiality impact, high integrity impact, and low availability impact.
CVSS Base score: 8.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/195168 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L)
CVEID:CVE-2021-2066
**DESCRIPTION:**An unspecified vulnerability in Oracle Outside In Technology related to the Outside In Filters component could allow an unauthenticated attacker to cause low confidentiality impact, high integrity impact, and low availability impact.
CVSS Base score: 8.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/195165 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L)
CVEID:CVE-2021-2068
**DESCRIPTION:**An unspecified vulnerability in Oracle Outside In Technology related to the Outside In Filters component could allow an unauthenticated attacker to cause low confidentiality impact, high integrity impact, and low availability impact.
CVSS Base score: 8.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/195167 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L)
CVEID:CVE-2021-2067
**DESCRIPTION:**An unspecified vulnerability in Oracle Outside In Technology related to the Outside In Filters component could allow an unauthenticated attacker to cause low confidentiality impact, high integrity impact, and low availability impact.
CVSS Base score: 8.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/195166 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L)
CVEID:CVE-2020-4856
**DESCRIPTION:**IBM Engineering Requirements Management DOORS Next is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 6.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/190459 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)
CVEID:CVE-2021-20351
**DESCRIPTION:**IBM Engineering Requirements Quality Assistant is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/194708 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| RDNG | 6.0.2 |
| DOORS Next | 7.0 |
| DOORS Next | 7.0.1 |
| DOORS Next | |
| 7.0.2 |
RDNG| 6.0.6.1
RDNG| 6.0.6
PUB| 7.0.1
PUB| 7.0.2
PUB| 7.0
EWM| 7.0.2
EWM| 7.0.1
RTC| 6.0.2
RTC| 6.0.6.1
EWM| 7.0
RTC| 6.0.6
Global Configuration Management| All
ETM| 7.0.2
RQM| 6.0.6.1
ETM| 7.0.1
RQM| 6.0.6
ETM| 7.0.0
RQM| 6.0.2
IBM Engineering Requirements Quality Assistant On-Premises| All
Remediation/Fixes
For the 6.0 - 7.0.2 releases:
Upgrade to version 7.0.2 iFix001 or later
- IBM Engineering Lifecycle Management 7.0.2 iFix001
- IBM Engineering Requirements Management DOORS Next 7.0.2 iFix001
- IBM Engineering Test Management 7.0.2 iFix001
- IBM Engineering Workflow Management 7.0.2 iFix001
- IBM Engineering Lifecycle Optimization - Engineering Insights:_ _Upgrade to version 7.0.1 and install server from ELM 7.0.2 iFix001
- IBM Engineering Systems Design Rhapsody - Design Manager:_ _Upgrade to version 7.0.1 and install server from ELM 7.0.2 iFix001
- IBM Engineering Systems Design Rhapsody - Model Manager:_ _Upgrade to version 7.0.1 and install server from ELM 7.0.2 iFix001
Upgrade to version 7.0.1 iFix006 or later
- IBM Engineering Lifecycle Management 7.0.1 iFix006
- IBM Engineering Requirements Management DOORS Next 7.0.1 iFix006
- IBM Engineering Test Management 7.0.1 iFix006
- IBM Engineering Workflow Management 7.0.1 iFix006
- IBM Engineering Lifecycle Optimization - Engineering Insights:_ _Upgrade to version 7.0.1 and install server from ELM 7.0.1 iFix006
- IBM Engineering Systems Design Rhapsody - Design Manager:_ _Upgrade to version 7.0.1 and install server from ELM 7.0.1 iFix006
- IBM Engineering Systems Design Rhapsody - Model Manager:_ _Upgrade to version 7.0.1 and install server from ELM 7.0.1 iFix006
Upgrade to version 7.0 iFix008 or later
- IBM Engineering Lifecycle Management 7.0 iFix008
- IBM Engineering Requirements Management DOORS Next 7.0 iFix008
- IBM Engineering Test Management 7.0 iFix008
- IBM Engineering Workflow Management 7.0 iFix008
- IBM Engineering Lifecycle Optimization - Engineering Insights:_ _Upgrade to version 7.0 and install server from ELM 7.0 iFix008
- IBM Engineering Systems Design Rhapsody - Design Manager:_ _Upgrade to version 7.0 and install server from ELM 7.0 iFix008
- IBM Engineering Systems Design Rhapsody - Model Manager:_ _Upgrade to version 7.0 and install server from ELM 7.0 iFix008
Upgrade to version 6.0.6.1 iFix015 or later
- Rational Collaborative Lifecycle Management 6.0.6.1 iFix015
- Rational DOORS Next Generation 6.0.6.1 iFix015
- Rational Quality Manager 6.0.6.1 iFix015
- Rational Team Concert 6.0.6.1 iFix015
- Rational Engineering Lifecycle Manager:_ _Upgrade to version 6.0.6.1 and install server from CLM 6.0.6.1 iFix015
- Rational Rhapsody Design Manager:_ _Upgrade to version 6.0.6.1 and install server from CLM 6.0.6.1 iFix015
- IBM Rhapsody Model Manager:_ _Upgrade to version 6.0.6.1 and install server from CLM 6.0.6.1 iFix015
- Rational Software Architect Design Manager:_ _Upgrade to version 6.0.6.1 and install server from CLM 6.0.6.1 iFix015
Upgrade to version 6.0.6 iFix019 or later
- Rational Collaborative Lifecycle Management 6.0.6 iFix019
- Rational DOORS Next Generation 6.0.6 iFix019
- Rational Quality Manager 6.0.6 iFix019
- Rational Team Concert 6.0.6 iFix019
- Rational Engineering Lifecycle Manager:_ _Upgrade to version 6.0.6 and install server from CLM 6.0.6 iFix019
- Rational Rhapsody Design Manager:_ _Upgrade to version 6.0.6 and install server from CLM 6.0.6 iFix019
- IBM Rhapsody Model Manager:_ _Upgrade to version 6.0.6 and install server from CLM 6.0.6 iFix019
- Rational Software Architect Design Manager:_ _Upgrade to version 6.0.6 and install server from CLM 6.0.6 iFix019
Upgrade to version 6.0.2 iFix027 or later
- Rational Collaborative Lifecycle Management 6.0.2 iFix027
- Rational Team Concert 6.0.2 iFix027
- Rational Quality Manager 6.0.2 iFix027
- Rational DOORS Next Generation 6.0.2 iFix027
- Rational Software Architect Design Manager:_ _Upgrade to version 6.0.2 and install server from CLM 6.0.2 iFix027
- Rational Rhapsody Design Manager:_ _Upgrade to version 6.0.2 and install server from CLM 6.0.2 iFix027
- Rational Engineering Lifecycle Manager:_ _Upgrade to version 6.0.2 and install server from CLM 6.0.2 iFix027
For IBM Engineering Requirements Quality Assistant On-Premises:
- Please follow the RQA Upgrade instructions.
For any prior versions of the products listed above, IBM recommends upgrading to a fixed, supported version/release/platform of the product.
If the iFix is not found in the Fix Portal please contact IBM Support.
Workarounds and Mitigations
None
Related
0.974 High
EPSS
Percentile
99.9%