Security Bulletin: Vulnerability in IBM Rational ClearCase (Java component) with potential for TLS Attack (CVE-2013-0169)

Summary

IBM Rational ClearCase includes an IBM Java SDK that is based on the Oracle JDK. Oracle has released April 2013 critical patch updates (CPU) which contain security vulnerability fixes and the IBM Java SDK has been updated to incorporate those updates.

Vulnerability Details

| Subscribe to My Notifications to be notified of important product support alerts like this.

• Follow this link for more information (requires login with your IBM ID)
  —|—

CVE ID: CVE-2013-0169

Description: The TLS protocol does not properly consider timing side-channel attacks, which could allow remote attackers to conduct distinguishing attacks and plain-text recovery attacks via statistical analysis of timing data for crafted packets, aka the “Lucky Thirteen” issue.

CVSS Base Score: 4.3 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/81902&gt; *CVSS Environmental Score:**Undefined **CVSS Vector: **(AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

Rational ClearCase, Remote Client, 7.1 through 7.1.2.11, 8.0 through 8.0.0.7, and 8.0.1

Note: The vulnerability only affects ClearCase Remote Client.

* If your deployment does not use ClearCase Remote Client, it is _not vulnerable_. 
* If your deployment does not use SSL (https) between ClearCase Remote Client and CM Server or CCRC WAN Server, it is _not vulnerable_.

Remediation/Fixes

Upgrade to one of the below versions of IBM Rational ClearCase:

• Rational ClearCase Fix Pack 1 (8.0.1.1) for 8.0.1
• Rational ClearCase Fix Pack 8 (8.0.0.8) for 8.0
• Rational ClearCase Fix Pack 12 (7.1.2.12) for 7.1.2

Workarounds and Mitigations

None