Security Bulletin: Vulnerability in WebSphere Application Server Liberty Profile affects multiple IBM Rational products based on IBM Jazz technology (CVE-2016-0389)

Summary

Information disclosure vulnerability in WebSphere Application Server Liberty Profile bundled with IBM Jazz Team Server based Applications affects multiple products: Collaborative Lifecycle Management (CLM), Rational DOORS Next Generation (RDNG), Rational Engineering Lifecycle Manager (RELM), Rational Team Concert (RTC), Rational Quality Manager (RQM), and Rational Rhapsody Design Manager (Rhapsody DM).

Vulnerability Details

CVEID: CVE-2016-0389**
DESCRIPTION:** IBM Jazz Team Server and the CLM applications (RTC, RQM, RDNG), RELM, and Rhapsody DM are vulnerable to information disclosure in IBM WebSphere Application Server Liberty that could allow a remote attacker to obtain sensitive information caused by improper handling by the Admin Center.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112529 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Rational Collaborative Lifecycle Management 6.0.2
Rational Quality Manager 6.0.2
Rational Team Concert 6.0.2
Rational DOORS Next Generation 6.0.2
Rational Engineering Lifecycle Manager 6.0.2
Rational Rhapsody Design Manager 6.0.2

Remediation/Fixes

For V8.5.5.8 Liberty bundled with Jazz Team Server based Applications 6.0.2**,** Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix.

* Apply Interim Fix following the instructions from [_v8558 Liberty Profile Archive Fix Readme_](<ftp://public.dhe.ibm.com/software/websphere/appserv/wlparchive/support/fixes/PI62052/8.5.5.8/readme.txt>). 
* Use <JazzInstallLocation>/server/liberty/wlp as the location of the Liberty installation, where <JazzInstallLocation> is the root folder of your CLM 6.0.2 installation.