Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational DOORS Web Access

2018-06-1705:26:49

www.ibm.com

6.2 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

2.1 Low

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

JSON

Summary

There are multiple vulnerabilities in IBM® Runtime Environment Java™ Versions 7 and 8, which are used by IBM Rational DOORS Web Access. These issues were disclosed as part of the IBM Java SDK updates in October 2017.

Vulnerability Details

CVEID: CVE-2017-10356**
DESCRIPTION:** An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors.
CVSS Base Score: 6.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/133785 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Rational DOORS Web Access: 9.5.0 - 9.5.0.1
Rational DOORS Web Access: 9.5.1 - 9.5.1.2
Rational DOORS Web Access: 9.5.2 - 9.5.2.1
Rational DOORS Web Access: 9.6.0 - 9.6.0.1
Rational DOORS Web Access: 9.6.1 - 9.6.1.10

Remediation/Fixes

For Rational DOORS Web Access installations, upgrade the JRE as noted in the table below. You can upgrade the JRE after Rational DOORS Web Access is installed. Publicly available versions of the Oracle JRE are not supported with Rational DOORS Web Access.

The following table presents Rational DOORS Web Access versions and the compatible versions of IBM JRE.

Rational DOORS Web Access	IBM Runtime Environment Java Version
9.5.0 - 9.5.0.1	9.5-RATIONAL-DOORS-JRE-7SR10FP15
9.5.1 - 9.5.1.2	9.5-RATIONAL-DOORS-JRE-7SR10FP15
9.5.2 - 9.5.2.1	9.5-RATIONAL-DOORS-JRE-7SR10FP15
9.6.0 - 9.6.0.1	9.6.0-RATIONAL-DOORS-JRE-7SR10FP15
9.6.1 - 9.6.1.4	9.6.1-RATIONAL-DOORS-JRE-7SR10FP15
9.6.1.7 - 9.6.1.10	9.6.1.10-RATIONAL-DOORS-JRE-8SR5FP5
For versions of Rational DOORS Web Access that are earlier than version 9.5.0.x, IBM recommends upgrading to a fixed, supported version/release/platform of the product.

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm engineering requirements management doors web accesseq9.5
ibm engineering requirements management doors web accesseq9.5.0.1
ibm engineering requirements management doors web accesseq9.5.1
ibm engineering requirements management doors web accesseq9.5.1.1
ibm engineering requirements management doors web accesseq9.5.2
ibm engineering requirements management doors web accesseq9.5.2.1
ibm engineering requirements management doors web accesseq9.6
ibm engineering requirements management doors web accesseq9.6.0.1
ibm engineering requirements management doors web accesseq9.6.1
ibm engineering requirements management doors web accesseq9.6.1.1

Name	Operator	Version
ibm engineering requirements management doors web access	eq	9.5
ibm engineering requirements management doors web access	eq	9.5.0.1
ibm engineering requirements management doors web access	eq	9.5.1
ibm engineering requirements management doors web access	eq	9.5.1.1
ibm engineering requirements management doors web access	eq	9.5.2
ibm engineering requirements management doors web access	eq	9.5.2.1
ibm engineering requirements management doors web access	eq	9.6
ibm engineering requirements management doors web access	eq	9.6.0.1
ibm engineering requirements management doors web access	eq	9.6.1
ibm engineering requirements management doors web access	eq	9.6.1.1