1.9 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:P/I:N/A:N
An attacker running a program on the same machine as where the victim is running a program could use CPU timing information to discover key information.
| Subscribe to My Notifications to be notified of important product support alerts like this.
CVE-ID:CVE-2014-0076**
Description:** An attacker running a program on the same machine as where the victim is running a program could use CPU timing information to discover key information about certain kinds of binary type Elliptic Curves used in Digital signatures during signing operations. Although GSKit only generates Prime type Elliptic Curves, externally generated keys may be imported in GSKit.
The IBM GSKit is used by RequisitePro when supporting SSL connections.
CVSS Base Score: 2.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/91990> *CVSS Environmental Score:**Undefined CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)
ReqPro version
|
Status
ā|ā
Rational RequisitePro 7.1.4 through 7.1.4.3
|
Affected
Rational RequisitePro 7.1.3 through 7.1.3.10
|
Affected if you use IBM HTTP Server version 8 or higher
Rational RequisitePro 7.1.2 through 7.1.2.13
|
Affected if you use IBM HTTP Server version 8 or higher
Rational RequisitePro 7.0.x, 7.1.0.x, 7.1.1.x
|
Not Affected
The solution is to upgrade to a fix pack of ReqPro that has a newer GSKit component that corrects these vulnerabilities, and to update IBM HTTP Server. Please see below for information on the fixes available.
Affected version
|
Remediation
ā|ā
7.1.4.x
|
Install Rational RequisitePro Fix Pack 4 (7.1.4.4) for 7.1.4
7.1.3.x
|
Install Rational RequisitePro Fix Pack 11 (7.1.3.11) for 7.1.3
7.1.2.x
|
Install Rational RequisitePro Fix Pack 14 (7.1.2.14) for 7.1.2
None