IBM9795A803476F689945DBE5240E20BD135F89CC3FA41E5E5447A43830CE80A044Security Bulletin: A vulnerability in the GSKit component of IBM Rational ClearQuest (CVE-2016-0201)
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
Summary
A vulnerability has been addressed in the GSKit component of IBM Rational ClearQuest.
Vulnerability Details
CVEID: CVE-2016-0201 DESCRIPTION: IBM GSKit could allow a remote attacker to obtain sensitive information, caused by an MD5 collision. An attacker could exploit this vulnerability to obtain authentication credentials.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109310 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
ClearQuest Web Server: Versions 8.0 through 8.0.1.10 if using IBM HTTP Server version 8 or newer. The GSKit is for secure connections (https).
ClearQuest Clients and Web Server:
Rational ClearQuest versions from 8.0 through 8.0.1.10 if ClearQuest is configured to use LDAP authentication with SSL connections.
Remediation/Fixes
ClearQuest Web Server:
Apply an IHS fix for the issue:
- Determine the IHS version used by your ClearQuest Web server. Navigate to the IBM HTTP Server installation directory (typically
/opt/ibm/HTTPServerorC:\Program Files (x86)\IBM\HTTPServer), then execute the script:bin/versionInfo.sh(UNIX) orbin\versionInfo.bat(Windows). The output includes a section “IBM HTTP Server for WebSphere Application Server”. Make note of the version listed in this section. - Review the following IHS security bulletin for the available fixes: _ _Security Bulletin:Vulnerabilities in the GSKit component of IBM HTTP Server (CVE-2016-0201 and CVE-2015-7420)
- Apply the relevant fixes to your IBM HTTP Server installation used on your ClearQuest Web server host. No ClearQuest-specific steps are necessary.
- For this ClearQuest Web server, also follow steps ClearQuest Clientsif you also use LDAP authentication with SSL connections.
ClearQuest Clients** and Web Server**:
The solution is to install a newer, fixed version of the GSKit runtime component.
Affected Versions
|
** Applying the fix**
—|—
8.0.1 through 8.0.1.10
| Install Rational ClearQuest Fix Pack 11 (8.0.1.11) for 8.0.1
8.0 through 8.0.0.17
| Install Rational ClearQuest Fix Pack 18 (8.0.0.18) for 8.0
Workarounds and Mitigations
None
Related
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N