Security Bulletin: Vulnerabilities in libcurl and cURL affect Rational DOORS (CVE-2015-3143, CVE-2015-3144, CVE-2015-3145, CVE-2015-3148, CVE-2015-3153, CVE-2015-3236)

Summary

Vulnerabilities in libcurl and cURL affect Rational DOORS.

Vulnerability Details

CVEID: CVE-2015-3143**
DESCRIPTION:** libcurl could allow a remote attacker from within the local network to bypass security restrictions, caused by the re-use of recently authenticated connections. By sending a new NTLM-authenticated request, an attacker could exploit this vulnerability to perform unauthorized actions with the privileges of the victim.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/102888 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2015-3144**
DESCRIPTION:** libcurl and cRUL are vulnerable to a denial of service, caused by improper calculation of index by the fix_hostname function. By using a zero-length host name, an remote attacker could exploit this vulnerability to cause the system to crash.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/102886 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-3145**
DESCRIPTION:** libcurl and cRUL are vulnerable to a denial of service, caused by improper calculation of index by the sanitize_cookie_path function. By using a double-quote character in a cookie path, an remote attacker could exploit this vulnerability to cause the system to crash.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/102884 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-3148**
DESCRIPTION:** libcurl and cRUL could allow a remote attacker to bypass security restrictions, caused by improper use of the negotiate authentication method. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions and connect as other users.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/102878 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVE-ID: CVE-2015-3153
Description: cURL/libcURL could allow a remote attacker to obtain sensitive information, caused by custom HTTP headers with sensitive content being sent to the server and intermediate proxy by the CURLOPT_HTTPHEADER option. An attacker could exploit this vulnerability to obtain authentication cookies or other sensitive information.**
CVSS Base Score: 5.000**
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/#/vulnerabilities/102989 for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
** CVEID: CVE-2015-3236
Description**: libcurl could allow a remote attacker to obtain sensitive information, caused by the HTTP credentials being sent when re-using connections. An attacker could exploit this vulnerability using unknown attack vectors to obtain sensitive information.**
CVSS Base Score**: 5**
CVSS Temporal Score**: https://exchange.xforce.ibmcloud.com/vulnerabilities/105326 for the current score**
CVSS Vector**: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

Rational DOORS: 9.3.0.0 - 9.3.0.10, 9.4.0.0 - 9.4.0.4, 9.5.0.0 - 9.5.0.4, 9.5.1.0 - 9.5.1.5, 9.5.2.0 - 9.5.2.4, 9.6.0.0 - 9.6.0.3, 9.6.1.0 - 9.6.1.3

The following Rational DOORS components are affected:

• Rational DOORS desktop client
• Rational DOORS database server
• Rational DOORS interoperation server

**FIPS 140 andNIST SP 800-131A compliance **
Rational DOORS v9.3, v9.4, and v9.5 use IBM Global Security Kit (GSKit) versions 7. GSKit is required for configuring SSL and TLS encryption for compliance with Federal Information Processing Standards (FIPS) publication 140-2 and NIST Special Publication (SP) 800-131A. The Random Number Generators (RNGs) that are included in GSKit version 7 are deprecated from 2011 to 2015 and disallowed after December 2015. To maintain compliance withFIPS 140 andNIST SP 800-131A, upgrade to new fix packs, as described in the following section.

Remediation/Fixes

Upgrade to the fix pack that corresponds to the version of Rational DOORS that you are running, as shown in the following table. Upgrade the Rational DOORS client, the Rational DOORS database server, and the Rational DOORS interoperation server.
You should verify applying this fix does not cause any compatibility issues.

For_ Rational DOORS version 9.2.x and earlier, IBM recommends upgrading to a fixed, supported version/release/platform of the product._

If you are using Rational DOORS Web Access, after you upgrade but before you start the Rational DOORS Web Access server, edit the core configuration file and set the required version of the interoperation server to the version of the fix pack upgrade, as described in this procedure.

Procedure:

1. To edit the Rational DOORS Web Access core configuration file, open the festival.xml file, which is in the server\festival\config directory.

2. Add the following line in the <f:properties> section:

`<**f:property name="interop.version" value="9.n.n.n"** />

Replace "9.n.n.n`" with the version of the fix pack upgrade: 9.3.0.11, 9.4.0.5, 9.5.0.5, 9.5.1.6, 9.5.2.5, 9.6.0.4, or 9.6.1.4.

3. Save and close the file.

After this revision, only the specified version of the interoperation server can access the Rational DOORS database.

Workarounds and Mitigations

None