OpenSSL vulnerabilities were disclosed on October 30 2018 and November 2 2018 by the OpenSSL Project. OpenSSL is used by IBM Rational ClearCase. IBM Rational ClearCase has addressed the applicable CVEs.
CVEID: CVE-2018-0734 DESCRIPTION: The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/152085 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2018-5407 DESCRIPTION: Multiple SMT/Hyper-Threading architectures and processors could allow a local attacker to obtain sensitive information, caused by execution engine sharing on Simultaneous Multithreading (SMT) architecture. By using the PortSmash new side-channel attack, an attacker could run a malicious process next to legitimate processes using the architecture’s parallel thread running capabilities to leak encrypted data from the CPU’s internal processes. Note: This vulnerability is known as PortSmash.
CVSS Base Score: 5.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/152484 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
IBM Rational ClearCase versions:
Version
|
Status
—|—
9.0.1 through 9.0.1.5
|
Affected
9.0 through 9.0.0.6
|
Affected
8.0.1 through 8.0.1.19
|
Affected
8.0 through 8.0.0.21
|
Affected
Not all deployments of Rational ClearCase use OpenSSL in a way that is affected by these vulnerabilities.
You are vulnerable if your use of Rational ClearCase includes any of these configurations:
Apply a fix pack as listed in the table below. The fix pack includes OpenSSL 1.0.2q.
Affected Versions
|
Applying the fix
—|—
9.0.1 through 9.0.1.5
9.0 through 9.0.0.6
| Install Rational ClearCase Fix Pack 6 (9.0.1.6) for 9.0.1
8.0.1 through 8.0.1.19
8.0 through 8.0.0.21
| Install Rational ClearCase Fix Pack 20 (8.0.1.20) for 8.0.1
For 8.0.x and earlier releases, IBM recommends upgrading to a fixed, supported version/release/platform of the product.
None.