IBM848CE2FC7D41E8B39820AE13C674950143027302A331E7FFAD731892AEDF61CCSecurity Bulletin: Multiple vulnerabilities affects IBM Jazz Foundation and IBM Engineering products.
EPSS
Percentile
19.6%
Summary
There are multiple vulnerabilities that are used by IBM Jazz Team Server affecting the following IBM Jazz Team Server based Applications: Engineering Lifecycle Management (ELM), IBM Engineering Requirements Management DOORS Next (DOORS Next), IBM Engineering Lifecycle Optimization - Engineering Insights (ENI), IBM Engineering Workflow Management (EWM), IBM Engineering Systems Design Rhapsody - Design Manager (RDM), IBM Engineering Systems Design Rhapsody - Model Manager (RMM).
Vulnerability Details
CVEID:CVE-2020-4445
**DESCRIPTION:**IBM Jazz Foundation is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/181122 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
CVEID:CVE-2020-4522
**DESCRIPTION:**IBM Engineering Requirements Management DOORS Next is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/182397 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
CVEID:CVE-2020-4546
**DESCRIPTION:**IBM Engineering Workflow Management is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/183314 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| RDNG | 6.0.2 |
| RDNG | 6.0.6.1 |
| RDNG | 6.0.6 |
| DOORS Next | 7.0 |
| RTC | 6.0.2 |
| RTC | 6.0.6.1 |
| RTC | 6.0.6 |
| EWM | 7.0 |
| IBM Engineering Requirements Management DOORS Next | DOORS Next 7.0.1 |
| RELM | 6.0.6.1 |
| RELM | 6.0.6 |
| RELM | 6.0.2 |
| ENI | 7.0 |
| RQM | 6.0.6.1 |
| RQM | 6.0.6 |
| ETM | 7.0.0 |
| RQM | 6.0.2 |
| CLM | 6.0.6.1 |
| CLM | 6.0.6 |
| CLM | 6.0.2 |
| ELM | 7.0 |
| IBM Engineering Workflow Management | EWM 7.0.1 |
Remediation/Fixes
For the 6.0 - 7.0 releases:
Upgrade to version 7.0 iFix003 or later
- IBM Engineering Lifecycle Management 7.0 iFix003
- IBM Engineering Requirements Management DOORS Next 7.0 iFix003
- IBM Engineering Test Management 7.0 iFix003
- IBM Engineering Workflow Management 7.0 iFix003
- IBM Engineering Lifecycle Optimization - Engineering Insights:_ _Upgrade to version 7.0 and install server from ELM 7.0 iFix003
- IBM Engineering Systems Design Rhapsody - Design Manager:_ _Upgrade to version 7.0 and install server from ELM 7.0 iFix003
- IBM Engineering Systems Design Rhapsody - Model Manager:_ _Upgrade to version 7.0 and install server from ELM 7.0 iFix003
- Upgrade to version 6.0.6.1 iFix011 or later
- Rational Collaborative Lifecycle Management 6.0.6.1 iFix011
- Rational DOORS Next Generation 6.0.6.1 iFix011
- Rational Quality Manager 6.0.6.1 iFix011
- Rational Team Concert 6.0.6.1 iFix011
- Rational Engineering Lifecycle Manager:_ _Upgrade to version 6.0.6.1 and install server from CLM 6.0.6.1 iFix011
- Rational Rhapsody Design Manager:_ _Upgrade to version 6.0.6.1 and install server from CLM 6.0.6.1 iFix011
- IBM Rhapsody Model Manager:_ _Upgrade to version 6.0.6.1 and install server from CLM 6.0.6.1 iFix011
- Rational Software Architect Design Manager:_ _Upgrade to version 6.0.6.1 and install server from CLM 6.0.6.1 iFix011
Upgrade to version 6.0.6 iFix017 or later
- Rational Collaborative Lifecycle Management 6.0.6 iFix017
- Rational DOORS Next Generation 6.0.6 iFix017
- Rational Quality Manager 6.0.6 iFix017
- Rational Team Concert 6.0.6 iFix017
- Rational Engineering Lifecycle Manager:_ _Upgrade to version 6.0.6 and install server from CLM 6.0.6 iFix017
- Rational Rhapsody Design Manager:_ _Upgrade to version 6.0.6 and install server from CLM 6.0.6 iFix017
- IBM Rhapsody Model Manager:_ _Upgrade to version 6.0.6 and install server from CLM 6.0.6 iFix017
- Rational Software Architect Design Manager:_ _Upgrade to version 6.0.6 and install server from CLM 6.0.6 iFix017
Upgrade to version 6.0.2 iFix025 or later
- Rational Collaborative Lifecycle Management 6.0.2 iFix025
- Rational Team Concert 6.0.2 iFix025
- Rational Quality Manager 6.0.2 iFix025
- Rational DOORS Next Generation 6.0.2 iFix025
- Rational Software Architect Design Manager:_ _Upgrade to version 6.0.2 and install server from CLM 6.0.2 iFix025
- Rational Rhapsody Design Manager:_ _Upgrade to version 6.0.2 and install server from CLM 6.0.2 iFix025
- Rational Engineering Lifecycle Manager:_ _Upgrade to version 6.0.2 and install server from CLM 6.0.2 iFix025
For any prior versions of the products listed above, IBM recommends upgrading to a fixed, supported version/release/platform of the product.
If the iFix is not found in the Fix Portal please contact IBM Support.
Workarounds and Mitigations
None
Related
EPSS
Percentile
19.6%