Security Bulletin: Multiple vulnerabilities in Rational Collaborative Lifecycle Management 4.0.1 (CVE-2012-5885, CVE-2012-5886, CVE-2012-5887)

2021-04-2818:35:50

www.ibm.com

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.003 Low

EPSS

Percentile

67.0%

JSON

Summary

Vulnerabilities have been identified in IBM Rational Team Concert (RTC), IBM Rational Quality Manager (RQM), and IBM Rational Requirements Composer (RRC) versions 4.0 and 4.0.1 and the Rational Collaborative Lifecycle Management Solution (CLM), allowing a remote attacker to bypass access restrictions on the server process.

Vulnerability Details

| Subscribe to My Notifications to be notified of important product support alerts like this.

Follow this link for more information (requires login with your IBM ID)
—|—

CVEID:CVE-2012-5885

Description: Replay-countermeasure functionality in HTTP Digest Access Authentication has a flaw, which makes it easier for attackers to bypass access restrictions.

CVSS Base Score: 5.0 **CVSS Temporal Score:**See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/80408>_ for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID:CVE-2012-5886

Description: HTTP Digest Access Authentication implementation could potentially allow an attacker to bypass authentication.

CVSS Base Score: 5.0 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/80407> for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID:CVE-2012-5887

**Description:**HTTP Digest Access Authentication implementation has a flaw which allows an
attacker to bypass restrictions.

CVSS Base Score: 5.0 **CVSS Temporal Score:**See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/79809>_ for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

Affected Products and Versions

CLM 4.0.1 and earlier
RTC 4.0.1 and earlier
RQM 4.0.1 and earlier
RRC 4.0.1 and earlier

Remediation/Fixes

Apply version 4.0.2 or later to resolve the issue.

Downloads are available from _<https://jazz.net/downloads>_

Workarounds and Mitigations

Isolate systems from untrusted network traffic by means of firewalls.

CPENameOperatorVersion
ibm engineering lifecycle management baseeq4.0.1
ibm engineering test managementeq4.0
ibm engineering test managementeq4.0.0.1
ibm engineering test managementeq4.0.0.2
ibm engineering test managementeq4.0.1
ibm engineering workflow managementeq4.0
ibm engineering workflow managementeq4.0.0.1
ibm engineering workflow managementeq4.0.0.2
ibm engineering workflow managementeq4.0.1
rational requirements composereq4.0

Name	Operator	Version
ibm engineering lifecycle management base	eq	4.0.1
ibm engineering test management	eq	4.0
ibm engineering test management	eq	4.0.0.1
ibm engineering test management	eq	4.0.0.2
ibm engineering test management	eq	4.0.1
ibm engineering workflow management	eq	4.0
ibm engineering workflow management	eq	4.0.0.1
ibm engineering workflow management	eq	4.0.0.2
ibm engineering workflow management	eq	4.0.1
rational requirements composer	eq	4.0