5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
A vulnerability has been addressed in the GSKit component of IBM Rational ClearQuest.
CVEID: CVE-2016-0201 DESCRIPTION: IBM GSKit could allow a remote attacker to obtain sensitive information, caused by an MD5 collision. An attacker could exploit this vulnerability to obtain authentication credentials.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109310 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
ClearQuest Web Server: Versions 8.0 through 8.0.1.10 if using IBM HTTP Server version 8 or newer. The GSKit is for secure connections (https).
ClearQuest Clients and Web Server:
Rational ClearQuest versions from 8.0 through 8.0.1.10 if ClearQuest is configured to use LDAP authentication with SSL connections.
ClearQuest Web Server:
Apply an IHS fix for the issue:
/opt/ibm/HTTPServer
or C:\Program Files (x86)\IBM\HTTPServer
), then execute the script: bin/versionInfo.sh
(UNIX) or bin\versionInfo.bat
(Windows). The output includes a section “IBM HTTP Server for WebSphere Application Server”. Make note of the version listed in this section.ClearQuest Clients** and Web Server**:
The solution is to install a newer, fixed version of the GSKit runtime component.
Affected Versions
|
** Applying the fix**
—|—
8.0.1 through 8.0.1.10
| Install Rational ClearQuest Fix Pack 11 (8.0.1.11) for 8.0.1
8.0 through 8.0.0.17
| Install Rational ClearQuest Fix Pack 18 (8.0.0.18) for 8.0
None
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N