Security Bulletin: A security vulnerability in IBM Rational ClearQuest with SSL/TLS communications (CVE-2016-2922)

Summary

IBM Rational ClearQuest is vulnerable to attacks on its SSL/TLS communications due to improper validation of server certificates.

Vulnerability Details

CVEID: CVE-2016-2922 DESCRIPTION: IBM ClearQuest (CQ OSLC linkages, EmailRelay) fails to check the SSL certificate against the requested hostname. It is subject to a man-in-the-middle attack with an impersonating server observing all the data transmitted to the real server.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113353 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

IBM Rational ClearQuest version 8 and 9 in the following components:

• ClearQuest Web/CQ OSLC server/CM Server component, when configured to use SSL.
• ClearQuest EmailRelay using secure connections.

ClearQuest version

|

Status

—|—

9.0.1 through 9.0.1.3

|

Affected

9.0 through 9.0.0.6

|

Affected

8.0 through 8.0.0.21 | Affected
8.0.1 through 8.0.1.17 | Affected

Remediation/Fixes

Apply a fix pack as listed in the table below.

Affected Versions

|

Applying the fix

—|—

9.0.1 through 9.0.1.3
9.0 through 9.0.0.6

| Install Rational ClearQuest Fix Pack 4 (9.0.1.4) for 9.0.1

8.0.1 through 8.0.1.17
8.0 through 8.0.0.21

| Install Rational ClearQuest Fix Pack 18 (8.0.1.18) for 8.0.1

For 7.0.x, 7.1.x, 8.0.x and earlier releases, IBM recommends upgrading to a fixed, supported version/release/platform of the product.

Workarounds and Mitigations

None.