IBM476FAB09ED6F76F0A412BD4467E1F98636B5DDD815F1325B0D1221FBB643F607Security Bulletin: Rational RequisitePro affected by OpenSSL vulnerabilities: (CVE-2014-5139, CVE-2014-3509, CVE-2014-3511)
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
Summary
Security vulnerabilities have been discovered in OpenSSL that were reported on August 7, 2014 by the OpenSSL Project.
Vulnerability Details
| Subscribe to My Notifications to be notified of important product support alerts like this.
- Follow this link for more information (requires login with your IBM ID)
—|—
CVE-ID: CVE-2014-5139
Description: OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when an SRP ciphersuite is specified without being properly negotiated with the client. A remote attacker could exploit this vulnerability to cause the client to crash.
CVSS Base Score: 5 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/95166> for more information CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-ID: CVE-2014-3509
Description: OpenSSL is vulnerable to a denial of service, caused by a race condition in the ssl_parse_serverhello_tlsext() code. If a multithreaded client connects to a malicious server using a resumed session, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 4.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/95159> for more information CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVE-ID: CVE-2014-3511
Description: OpenSSL could allow a remote attacker to bypass security restrictions, caused by the negotiation of TLS 1.0 instead of higher protocol versions by the OpenSSL SSL/TLS server code when handling a badly fragmented ClientHello message. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to TLS 1.0.
CVSS Base Score: 4.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/95162> for more information CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Affected Products and Versions
IBM Rational RequisitePro versions:
| Version | Status |
|---|---|
| 7.1.4 through 7.1.4.5 | Affected |
| 7.1.3 through 7.1.3.12 | Affected |
| 7.1.0.x, 7.1.1.x (all versions), 7.1.2 through 7.1.2.15 | Affected |
| 7.0.x | Not Affected |
You are vulnerable if you use ratlperl, ccperl or cqperl to run your own perl scripts, and those scripts use SSL connections.
Remediation/Fixes
Apply a fix pack for your appropriate ReqPro release.
| Affected Version | Applying the fix |
|---|---|
| 7.1.4.x | Install Rational RequisitePro Fix Pack 6 (7.1.4.6) for 7.1.4 |
| 7.1.3.x | Install Rational RequisitePro Fix Pack 13 (7.1.3.13) for 7.1.3 |
| 7.1.2.x | Install Rational RequisitePro Fix Pack 16 (7.1.2.16) for 7.1.2 |
| 7.1.1.x | Install Rational RequisitePro Fix Pack 16 (7.1.2.16) for 7.1.2 |
| **Note:**7.1.2.16 interoperates with all 7.1.x.x systems, and can be installed in the same way as 7.1.x.x fix packs. |
Workarounds and Mitigations
None
Related
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P