Security Bulletin: Multiple Vulnerabilities in Rational Change 5.3.2 Fix Pack 05 and earlier versions.

Summary

Vulnerabilities in the Jetty 9.4.48 and earlier component shipped with Rational Change may affect the security of the product.

Vulnerability Details

CVEID:CVE-2023-26048
**DESCRIPTION:**Eclipse Jetty is vulnerable to a denial of service, caused by an out of memory flaw in the HttpServletRequest.getParameter() or HttpServletRequest.getParts() function. By sending a specially crafted multipart request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253356 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2023-26049
**DESCRIPTION:**Eclipse Jetty could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw during nonstandard cookie parsing. By sending a specially crafted request to tamper with the cookie parsing mechanism, an attacker could exploit this vulnerability to obtain values from other cookies, and use this information to launch further attacks against the affected system.
CVSS Base score: 4.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253355 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

Upgrade to Rational Change 5.3.2.6 supporting Jetty 9.4.51 from IBM Passport Advantage and apply it.

NOTE:

Download the Rational Change 5.3.2.6 installation image by referring to the installation platform and its part number in the following list:

• IBM Rational Change V5.3.2.6 Multi-platform Multilingual (CC5T0ML) - Windows and Linux included.

Workarounds and Mitigations

None.