Security Bulletin: XML External Entity (XXE) vulnerabilities in ClearQuest (CVE-2014-0950)

Summary

IBM Rational ClearQuese is vulnerable to XML external entity attacks. These attacks could cause denial of service or be used to attack other servers accessible from a client or server.

Vulnerability Details

| Subscribe to My Notifications to be notified of important product support alerts like this.

• Follow this link for more information (requires login with your IBM ID)
  —|—

CVE ID:CVE-2014-0950

**Description:**IBM Rational ClearQuest is vulnerable to XML external entity attacks. A malicious server could provoke a client to access other servers. A malicious client could cause denial of service on a server, or cause the server to access other servers.
The vulnerable components are:

• CQWeb / CM Server
• ClearQuest Native client
• ClearQuest Eclipse client
• ClearQuest Eclipse Designer

CVSS Base Score: 4 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/92623&gt; for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)

Affected Products and Versions

IBM Rational ClearQuest versions 7.1.1 through 7.1.1.9, 7.1.2 through** **7.1.2.13, 8.0.0 through 8.0.0.10, and 8.0.1 through 8.0.1.3

Remediation/Fixes

The solution is to upgrade to a newer fix pack of ClearQuest.

• Note: 7.1.2.14 inter-operates with all 7.1.1.x systems, and can be installed in the same way as 7.1.1.x fix packs.

Workarounds and Mitigations

None