Security Bulletin: Security vulnerability in Jazz Team Server affects multiple IBM Rational products based on IBM's Jazz technology (CVE-2014-3092)

Summary

A vulnerability in the Jazz Team Server affects the following IBM Rational products: Collaborative Lifecycle Management (CLM), Rational Requirements Composer (RRC), Rational DOORS Next Generation (RDNG), Rational Engineering Lifecycle Manager (RELM), Rhapsody Design Manager (Rhapsody DM), Rational Software Architect Design Manager (RSA DM), Rational Team Concert (RTC), and Rational Quality Manager (RQM).

Vulnerability Details

IBM Jazz Team Server applications are affected by the following vulnerability:

CVEID:_CVE-2014-3092 _

Description: IBM Jazz Team Sever could allow a remote attacker to obtain sensitive information, caused by the failure to set the secure flag for the session cookie in SSL mode. By intercepting its transmission within an HTTP session, an attacker could exploit this vulnerability to capture the cookie and obtain sensitive information.

CVSS Base Score: 4.0 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/94258&gt; for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)

Affected Products and Versions

Rational Quality Manager 2.0 - 2.0.1 (All Editions)
Rational Quality Manager 3.0 - 3.0.1.6 iFix2
Rational Quality Manager 4.0 - 4.0.6
Rational Quality Manager 5.0

Rational Team Concert 2.0 - 2.0.0.2
Rational Team Concert 3.0 - 3.0.6 iFix2
Rational Team Concert 4.0 - 4.0.6
Rational Team Concert 5.0

Rational Requirements Composer 2.0 - 2.0.0.4 (All Editions)
Rational Requirements Composer 3.0 - 3.0.1.6 iFix 2
Rational Requirements Composer 4.0 - 4.0.6

Rational DOORS Next Generation 4.0 - 4.0.6
Rational DOORS Next Generation 5.0

Rational Engineering Lifecycle Manager 1.0-1.0.0.1
Rational Engineering Lifecycle Manager 4.0.3-4.0.6
Rational Engineering Lifecycle Manager 5.0

Rational Rhapsody Design Manager 3.0-3.0.1
Rational Rhapsody Design Manager 4.0-4.0.6
Rational Rhapsody Design Manager 5.0

Rational Software Architect Design Manager 3.0-3.0.1
Rational Software Architect Design Manager 4.0-4.0.6
Rational Software Architect Design Manager 5.0

Remediation/Fixes

A fix is available by upgrading to the 5.0.1 release

• Rational Quality Manager 5.0.1
• Rational Team Concert 5.0.1
• Rational Requirements Composer is now called Rational DOORS Next Generation 5.0.1
• Rational DOORS Next Generation 5.0.1
• Rational Software Architect Design Manager 5.0.1
• Rational Rhapsody Design Manager 5.0.1
• Rational Engineering Lifecycle Manager 5.0.1

For the 4.x releases upgrade to version 4.0.7.

• Rational Quality Manager 4.0.7
• Rational Team Concert 4.0.7
• Rational Requirements Composer 4.0.7
• Rational Software Architect Design Manager 4.0.7
• Rational Rhapsody Design Manager 4.0.7
• Rational DOORS Next Generation 4.0.7
• Rational Engineering Lifecycle Manager 4.0.7

For the 3.x releases upgrade to version 3.0.1.6 iFix 3

• Rational Quality Manager 3.0.1.6 iFix 3
• Rational Team Concert 3.0.1.6 iFix 3
• Rational Requirements Composer 3.0.1.6 iFix 3

For the 3.x releases of Rational Software Architect Design Manager and Rhapsody Design Manager, contact IBM support for guidance.

For the 2.x releases, contact IBM support for additional details on the fix.
For the 1.x releases of RELM, contact IBM support for additional details on the fix.

Workarounds and Mitigations

None