Security Bulletin: Security vulnerability in Apache FOP affects IBM® Rational® Quality Manager

Summary

Security Vulnerability in Apache FOP shipped with IBM Rational Quality Manager was disclosed. IBM Rational Quality Manager has addressed the applicable CVE.

Vulnerability Details

CVEID: CVE-2017-5661 DESCRIPTION: Apache FOP could allow a remote authenticated attacker to obtain sensitive information, caused by an XML external entity (XXE) error when processing XML data. By using a specially-crafted SVG file. A remote attacker could exploit this vulnerability to obtain sensitive information or possibly cause a denial of service.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124797&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Rational Collaborative Lifecycle Management 5.0 - 6.0.6

Rational Quality Manager 6.0 - 6.0.6
Rational Quality Manager 5.0 - 5.0.2

Remediation/Fixes

For the 6.0.x and 5.x releases:

• Upgrade to version 6.0.6 iFix008 or later
  • Rational Quality Manager 6.0.6 iFix008
• Or version 6.0.2 iFix020 or later
  • Rational Quality Manager 6.0.2 iFix020

For any prior versions of the products listed above, IBM recommends upgrading to a fixed, supported version/release/platform of the product.

If the iFix is not found in the iFix Portal please contact IBM support.

Workarounds and Mitigations

None