Lucene search

K
ibmIBM786A4DDE0028F9E1A249EEFBD707DEEB8725D4ED4823D6C82561F75EC024844B
HistoryJul 25, 2022 - 2:49 p.m.

Security Bulletin: Multiple vulnerabilities in the IBM Java Runtime affect IBM Rational ClearCase ( CVE-2021-35578, CVE-2021-35603, CVE-2021-35550, CVE-2021-35561, CVE-2022-21299 )

2022-07-2514:49:17
www.ibm.com
14

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

7.1 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:C/I:N/A:N

0.002 Low

EPSS

Percentile

50.4%

Summary

There are vulnerabilities in the IBM® Runtime Environment Java™ Versions 7 and 8, which is used by IBM Rational ClearCase. These issues were disclosed as part of the IBM Java SDK updates in October 2021 and January 2022.

Vulnerability Details

CVEID:CVE-2021-35578
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/211654 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2021-35603
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/211676 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2021-35550
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/211627 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2021-35561
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Utility component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/211637 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2022-21299
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217594 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Rational ClearCase 8.0.0
IBM Rational ClearCase 9.0
IBM Rational ClearCase 9.0.1
IBM Rational ClearCase 9.1
IBM Rational ClearCase 9.0.2
IBM Rational ClearCase 8.0.1

Remediation/Fixes

The solution is to install a fix that includes an updated Java™ Virtual Machine with fixes for the issues, and to apply fixes for WebSphere Application Server (WAS).

Client and server fixes

Apply the relevant fixes as listed in the table below.

Affected Versions

|

Applying the fix

—|—
9.1 through 9.1.0.3| Install Rational ClearCase Fix Pack 3 (9.1.0.3) for 9.1

9.0.2 through 9.0.2.6

| Install Rational ClearCase Fix Pack 6 (9.0.2.6) for 9.0.2

9.0.1 through 9.0.1.14
9.0 through 9.0.0.6

| Install Rational ClearCase Fix Pack 14 (9.0.1.14) for 9.0.1

For 8.0 and earlier releases, IBM recommends upgrading to a fixed, supported version/release/platform of the product.

Notes:

If you use CCRC as an extension offering installed into an Eclipse shell (one not provided as part of a ClearCase release), or you use rcleartool or CMAPI using a Java™ Virtual Machine not supplied by IBM as part of Rational ClearCase, you should update the Java™ Virtual Machine that you use to include a fix for the above issues. Contact the supplier of your Java™ Virtual Machine and/or the supplier of your Eclipse shell.

CCRC WAN server fixes

Affected Versions

|

Applying the fix

—|—

9.0.0.x
9.0.1.x
9.0.2.x
9.1.0.x

| Apply the appropriate WebSphere Application Server fix directly to your CCRC WAN server host. No ClearCase-specific steps are necessary.

  1. Determine the WAS version used by your CCRC WAN server. Navigate to the CCRC profile directory (either the profile you specified when installing ClearCase, or <ccase-home>/common/ccrcprofile), then execute the script: bin/versionInfo.sh (UNIX) or bin\versionInfo.bat (Windows). The output includes a section “IBM WebSphere Application Server”. Make note of the version listed in this section.
  2. Review the following WAS security bulletin:
    Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to April 2022 CPU plus deferred CVE-2022-21299
    Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect IBM WebSphere Application Server and IBM Application Server Liberty due to January 2022 CPU plus deferred CVE-2021-35550 and CVE-2021-35603
    Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect WebSphere Application Server October 2021 CPU
    and apply the latest available fix for the version of WAS used for CCRC WAN server.

**Note:**There may be newer security fixes for WebSphere Application Server. Subscribe to “My Notifications” to be notified about WebSphere product support alerts for additional Java SDK fixes.

Workarounds and Mitigations

None

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

7.1 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:C/I:N/A:N

0.002 Low

EPSS

Percentile

50.4%

Related for 786A4DDE0028F9E1A249EEFBD707DEEB8725D4ED4823D6C82561F75EC024844B