6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:N/A:P
The Apache Solr that is shipped with IBM Rational ClearQuest contains multiple security vulnerabilities. IBM Rational ClearQuest has addressed the applicable CVEs.
CVEID: CVE-2013-6407**
DESCRIPTION:** Apache Solr could allow a remote authenticated attacker to obtain sensitive information, caused by an error when parsing XML entities. By persuading a victim to open a specially-crafted XML document containing external entity references, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/89379 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CVEID: CVE-2013-6408
DESCRIPTION: Apache Solr could allow a remote authenticated attacker to obtain sensitive information, caused by an error when parsing XML entities. By persuading a victim to open a specially-crafted XML document containing external entity references, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/89380 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)
IBM Rational ClearQuest, versions 8.0, 8.0.1, 9.0 and 9.0.1 in the following component:
ClearQuest version
|
Status
—|—
9.0.1, 9.0.1.1
|
Affected
9.0 through 9.0.0.5
|
Affected
8.0.1 through 8.0.1.15
|
Affected
8.0 through 8.0.0.21
|
Affected
To fix your existing installation, you must uninstall ClearQuest, then install the appropriate fix pack that contains the fixes. The uninstall procedure will save settings and configurations; the install procedure will offer to restore them.
As an alternative, you can change the configuration of your current system, see the “Workarounds and Mitigations” section below.
Affected Versions
|
** Applying the fix**
—|—
9.0.1, 9.0.1.1
| Uninstall your current ClearQuest version, then install Rational ClearQuest Fix Pack 2 (9.0.1.2) for 9.0.1
9.0 through 9.0.0.5
| Uninstall your current ClearQuest version, then install Rational ClearQuest Fix Pack 6 (9.0.0.6) for 9.0
8.0.1 through 8.0.1.15
8.0 through 8.0.0.21
| Uninstall your current ClearQuest version, then install Rational ClearQuest Fix Pack 16 (8.0.1.16) for 8.0.1
For 7.0, 7.1 and earlier releases, IBM recommends upgrading to a fixed, supported version/release/platform of the product.
The mitigation is to take the following steps:
Locate the file <CQFTS_Home>/<DBSet_UserDB>/Solr/solr/conf/solrconfig.xml
Find the following two XML blocks that read
<requestHandler name="/update/xslt" startup="lazy" class="solr.XsltUpdateRequestHandler"/>
And
<requestHandler name="/analysis/document" class="solr.DocumentAnalysisRequestHandler" startup="lazy"/>
Either remove those two XML blocks or comment them out.
If you wish to use comments to exclude these blocks, you may use code like this surrounding the blocks:
`
`
Locate the file <CQFTS_Home>/<DBSet_UserDB>/Solr/typeahead/conf/solrconfig.xml
Find the following two XML blocks that read
<requestHandler name="/update/xslt" startup="lazy" class="solr.XsltUpdateRequestHandler"/>
And
<requestHandler name="/analysis/document" class="solr.DocumentAnalysisRequestHandler" startup="lazy"/>
Either remove those two XML blocks or comment them out.
If you wish to use comments to exclude these blocks, you may use code like this surrounding the blocks:
`
`
cqtsadmin.pl
script, run the commands --stop_fts_was_profile
and --start_fts_was_profile
as documented here <https://www.ibm.com/support/knowledgecenter/en/SSSH5A_9.0.1/com.ibm.rational.clearquest.cli.doc/topics/r_cqtsadmin_pl.htm> to restart Solr so the changes to the solrconfig.xml
files take effect.Affected Versions
|
** Applying the fix**
—|—
8.0.0.x
8.0.1.x
9.0.0.x
9.0.1.x| Apply the above fix directly to your ClearQuest.
For 7.0, 7.1 and earlier releases, IBM recommends upgrading to a fixed, supported version/release/platform of the product.