Security Bulletin: Vulnerabilities in RequisitePro GSKit Component (CVE-2014-0076)

Summary

An attacker running a program on the same machine as where the victim is running a program could use CPU timing information to discover key information.

Vulnerability Details

| Subscribe to My Notifications to be notified of important product support alerts like this.

• Follow this link for more information (requires login with your IBM ID)
  —|—

CVE-ID:CVE-2014-0076**

Description:** An attacker running a program on the same machine as where the victim is running a program could use CPU timing information to discover key information about certain kinds of binary type Elliptic Curves used in Digital signatures during signing operations. Although GSKit only generates Prime type Elliptic Curves, externally generated keys may be imported in GSKit.

The IBM GSKit is used by RequisitePro when supporting SSL connections.

CVSS Base Score: 2.1

CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/91990&gt; *CVSS Environmental Score:**Undefined CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

ReqPro version

|

Status

—|—

Rational RequisitePro 7.1.4 through 7.1.4.3

|

Affected

Rational RequisitePro 7.1.3 through 7.1.3.10

|

Affected if you use IBM HTTP Server version 8 or higher

Rational RequisitePro 7.1.2 through 7.1.2.13

|

Affected if you use IBM HTTP Server version 8 or higher

Rational RequisitePro 7.0.x, 7.1.0.x, 7.1.1.x

|

Not Affected

Remediation/Fixes

The solution is to upgrade to a fix pack of ReqPro that has a newer GSKit component that corrects these vulnerabilities, and to update IBM HTTP Server. Please see below for information on the fixes available.

Affected version

|

Remediation

—|—

7.1.4.x

|

Install Rational RequisitePro Fix Pack 4 (7.1.4.4) for 7.1.4

7.1.3.x

|

Install Rational RequisitePro Fix Pack 11 (7.1.3.11) for 7.1.3

7.1.2.x

|

Install Rational RequisitePro Fix Pack 14 (7.1.2.14) for 7.1.2

Workarounds and Mitigations

None