IBM48505FA45D5EF2C2F2DAF821BAFF313372A3A5C481E4A4C80F00A5B47B0CAD76Security Bulletin: Vulnerabilities in ClearQuest OpenSSL Component (CVE-2013-4353, CVE-2013-6450, CVE-2013-6449 )
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:P/A:P
Summary
The OpenSSL commponent is embedded in cqperl. Customers may be affected when there are Perl hooks/scripts which use SSL connections. ClearQuest itself doesn’t provide any services using OpenSSL.
Vulnerability Details
| Subscribe to My Notifications to be notified of important product support alerts like this.
- Follow this link for more information (requires login with your IBM ID)
—|—
CVE ID:CVE-2013-4353
Description: OpenSSL is vulnerable to a denial of service. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a connecting client to crash.
CVSS Base Sc****ore: 5 CVSS Temporal Score:<https://exchange.xforce.ibmcloud.com/vulnerabilities/90201> for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE ID:CVE-2013-6450
Description: OpenSSL is vulnerable to a denial of service. A remote attacker could exploit this vulnerability to cause the daemon to crash.
CVSS Base Score: 4.3 CVSS Temporal Score:<https://exchange.xforce.ibmcloud.com/vulnerabilities/90069> for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVE ID:CVE-2013-6449
Description: OpenSSL is vulnerable to a denial of service. A remote attacker could exploit this vulnerability using specially-crafted traffic from a TLS 1.2 client to cause the daemon to crash.
CVSS Base Score: 4.3 CVSS Temporal Score:<https://exchange.xforce.ibmcloud.com/vulnerabilities/90068> for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
Affected Products and Versions
IBM Rational ClearQuest versions 7.1.1 through 7.1.1.9, 7.1.2 through** **7.1.2.12, 8.0.0 through 8.0.0.9, and 8.0.1 through 8.0.1.2 where you have written Perl hooks or scripts that use SSL connections.
Remediation/Fixes
The solution is to upgrade to a version of ClearQuest that has a newer OpenSSL component that corrects these vulnerabilities. Select the proper fix for your version:
Client fixes** (for Windows ClearQuest clients meeting the description above of vulnerable configurations)**
Systems running 8.0.1 through 8.0.1.2:
* Upgrade to Rational ClearQuest Fix Pack 3 (8.0.1.3) for 8.0.1** **
Systems running 8.0.0 through 8.0.0.9:
* Upgrade to Rational ClearQuest Fix Pack 10 (8.0.0.10) for 8.0
Systems running 7.1.1 through 7.1.1.9, or 7.1.2 through** 7.1.2.12:
* Upgrade to Rational ClearQuest Fix Pack 13 (7.1.2.13) for 7.1.2.
**
Note: 7.1.2.13 inter-operates with all 7.1.1.x systems, and can be installed in the same way as 7.1.1.x fix packs.
Note: There is a serious security issue CVE-2014-0160 which affects the above releases. It is recommended that you upgrade to the Interim fix (contains OpenSSL 1.0.1g) associated with the Fix Packs listed above. Please read Security Bulletin: Rational ClearQuest affected by vulnerability in OpenSSL (CVE-2014-0160)****for details.
Workarounds and Mitigations
None
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:P/A:P