Security Bulletin: A vulnerability in OpenSSL affects IBM Rational ClearQuest (CVE-2019-1551)

Summary

OpenSSL vulnerabilities were disclosed by the OpenSSL Project. OpenSSL is used by IBM Rational ClearQuest. IBM Rational ClearQuest has addressed the applicable CVE.

Vulnerability Details

CVEID:CVE-2019-1551
**DESCRIPTION:**OpenSSL could allow a remote attacker to obtain sensitive information, caused by an overflow in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. By performing a man-in-the-middle attack, a remote attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/172752 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)

Affected Products and Versions

Rational ClearQuest version 8 and 9 in the following components:

• ClearQuest hooks and cqperl/ratlperl scripts that use SSL.
• ClearQuest SSL database connections.

Remediation/Fixes

Apply a fix pack as listed in the table below. The fix pack includes OpenSSL 1.1.1g.

Affected Versions

|

Applying the fix

—|—
9.0.2 through 9.0.2.1 | Install Rational ClearQuest Fix Pack 2 (9.0.2.2) for 9.0.2

9.0.1 through 9.0.1.9
9.0 through 9.0.0.6

| Install Rational ClearQuest Fix Pack 10 (9.0.1.10) for 9.0.1

8.0.1 through 8.0.1.23
8.0 through 8.0.0.21

| Install Rational ClearQuest Fix Pack 24 (8.0.1.24) for 8.0.1

For 8.0.x and earlier releases, IBM recommends upgrading to a fixed, supported version/release/platform of the product.

Workarounds and Mitigations

None