Security Bulletin: Cross-site scripting vulnerability affects IBM Jazz Foundation and IBM Engineering products.

Summary

There is a Cross-site scripting vulnerability that are used by IBM Jazz Team Server affecting the following IBM Jazz Team Server based Applications: Engineering Lifecycle Management (ELM), IBM Engineering Requirements Management DOORS Next (DOORS Next), IBM Engineering Lifecycle Optimization - Engineering Insights (ENI), IBM Engineering Workflow Management (EWM), IBM Engineering Systems Design Rhapsody - Design Manager (RDM), IBM Engineering Systems Design Rhapsody - Model Manager (RMM).

Vulnerability Details

CVEID:CVE-2019-4748
**DESCRIPTION:**IBM Jazz Foundation is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/173174 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

For the 6.0 - 7.0 releases:

Upgrade to version 7.0 iFix003 or later

• IBM Engineering Lifecycle Management 7.0 iFix003
• IBM Engineering Requirements Management DOORS Next 7.0 iFix003
• IBM Engineering Test Management 7.0 iFix003
• IBM Engineering Workflow Management 7.0 iFix003
• IBM Engineering Lifecycle Optimization - Engineering Insights:_ _Upgrade to version 7.0 and install server from ELM 7.0 iFix003
• IBM Engineering Systems Design Rhapsody - Design Manager:_ _Upgrade to version 7.0 and install server from ELM 7.0 iFix003
• IBM Engineering Systems Design Rhapsody - Model Manager:_ _Upgrade to version 7.0 and install server from ELM 7.0 iFix003

1. Upgrade to version 6.0.6.1 iFix011 or later

• Rational Collaborative Lifecycle Management 6.0.6.1 iFix011
• Rational DOORS Next Generation 6.0.6.1 iFix011
• Rational Quality Manager 6.0.6.1 iFix011
• Rational Team Concert 6.0.6.1 iFix011
• Rational Engineering Lifecycle Manager:_ _Upgrade to version 6.0.6.1 and install server from CLM 6.0.6.1 iFix011
• Rational Rhapsody Design Manager:_ _Upgrade to version 6.0.6.1 and install server from CLM 6.0.6.1 iFix011
• IBM Rhapsody Model Manager:_ _Upgrade to version 6.0.6.1 and install server from CLM 6.0.6.1 iFix011
• Rational Software Architect Design Manager:_ _Upgrade to version 6.0.6.1 and install server from CLM 6.0.6.1 iFix011

Upgrade to version 6.0.6 iFix017 or later

• Rational Collaborative Lifecycle Management 6.0.6 iFix017
• Rational DOORS Next Generation 6.0.6 iFix017
• Rational Quality Manager 6.0.6 iFix017
• Rational Team Concert 6.0.6 iFix017
• Rational Engineering Lifecycle Manager:_ _Upgrade to version 6.0.6 and install server from CLM 6.0.6 iFix017
• Rational Rhapsody Design Manager:_ _Upgrade to version 6.0.6 and install server from CLM 6.0.6 iFix017
• IBM Rhapsody Model Manager:_ _Upgrade to version 6.0.6 and install server from CLM 6.0.6 iFix017
• Rational Software Architect Design Manager:_ _Upgrade to version 6.0.6 and install server from CLM 6.0.6 iFix017

Upgrade to version 6.0.2 iFix025 or later

• Rational Collaborative Lifecycle Management 6.0.2 iFix025
• Rational Team Concert 6.0.2 iFix025
• Rational Quality Manager 6.0.2 iFix025
• Rational DOORS Next Generation 6.0.2 iFix025
• Rational Software Architect Design Manager:_ _Upgrade to version 6.0.2 and install server from CLM 6.0.2 iFix025
• Rational Rhapsody Design Manager:_ _Upgrade to version 6.0.2 and install server from CLM 6.0.2 iFix025
• Rational Engineering Lifecycle Manager:_ _Upgrade to version 6.0.2 and install server from CLM 6.0.2 iFix025

For any prior versions of the products listed above, IBM recommends upgrading to a fixed, supported version/release/platform of the product.

If the iFix is not found in the Fix Portal please contact IBM Support.

Workarounds and Mitigations

None