IBMAE2D99F51F54FB9B9702B49C29BE274AEE8BC814AAE746C495B94D448A0B731ESecurity Bulletin: Multiple vulnerabilities in IBM Jazz Team Server affect IBM Rational products based on IBM Jazz technology
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.02 Low
EPSS
Percentile
87.0%
Summary
Multiple vulnerabilities in the IBM Jazz Team Server affecting the following IBM Rational Products: Collaborative Lifecycle Management (CLM), Rational DOORS Next Generation (RDNG), Rational Engineering Lifecycle Manager (RELM), Rational Team Concert (RTC), Rational Quality Manager (RQM), Rational Rhapsody Design Manager (Rhapsody DM), and Rational Software Architect (RSA DM).
Vulnerability Details
CVEID: CVE-2018-1492 DESCRIPTION: IBM Jazz Foundation could allow a user with physical access to the system to log in as another user due to the server’s failure to properly log out from the previous sessoin.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/140977> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2018-1423 DESCRIPTION: IBM Rhapsody DM could disclose sensitive information to an authenticated attacker that could be used in further attacks agains the system.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139026> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2017-12626 DESCRIPTION: Apache POI is vulnerable to a denial of service, caused by an error while parsing malicious WMF, EMF, MSG and macros and specially crafted DOC, PPT and XLS. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop or an out of memory exception.
CVSS Base Score: 5.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/138361> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
Affected Products and Versions
Rational Collaborative Lifecycle Management 5.0 - 6.0.5
Rational Quality Manager 5.0 - 5.0.2
Rational Quality Manager 6.0 - 6.0.5
Rational Team Concert 5.0 - 5.0.2
Rational Team Concert 6.0 - 6.0.5
Rational DOORS Next Generation 5.0 - 5.0.2
Rational DOORS Next Generation 6.0 - 6.0.5
Rational Engineering Lifecycle Manager 5.0 - 5.0.2
Rational Engineering Lifecycle Manager 6.0 - 6.0.5
Rational Rhapsody Design Manager 5.0 - 5.0.2
Rational Rhapsody Design Manager 6.0 - 6.0.5
Rational Software Architect Design Manager 5.0 - 5.0.2
Rational Software Architect Design Manager 6.0 - 6.0.1
Remediation/Fixes
For the 6.0 - 6.0.5 releases
- Upgrade to version 6.0.5 iFix6 or later
- Rational Collaborative Lifecycle Management 6.0.5 iFix6
- Rational DOORS Next Generation 6.0.5 iFix6
- Rational Quality Manager 6.0.5 iFix6
- Rational Team Concert 6.0.5 iFix6
- Rational Engineering Lifecycle Manager:_ _Upgrade to version 6.0.5 and install server from CLM 6.0.5 iFix6
- Rational Rhapsody Design Manager:_ _Upgrade to version 6.0.5 and install server from CLM 6.0.5 iFix6
- Rational Software Architect Design Manager:_ _Upgrade to version 6.0.5 and install server from CLM 6.0.5 iFix6
- Upgrade to version 6.0.4 iFix010 or later
- Rational Collaborative Lifecycle Management 6.0.4 iFix010
- Rational DOORS Next Generation 6.0.4 iFix010
- Rational Quality Manager 6.0.4 iFix010
- Rational Team Concert 6.0.4 iFix010
- Rational Engineering Lifecycle Manager:_ _Upgrade to version 6.0.5 and install server from CLM 6.0.4 iFix010
- Rational Rhapsody Design Manager:_ _Upgrade to version 6.0.5 and install server from CLM 6.0.4 iFix010
- Rational Software Architect Design Manager:_ _Upgrade to version 6.0.5 and install server from CLM 6.0.4 iFix010
- Or upgrade to version 6.0.2 iFix17 or later
- Rational Collaborative Lifecycle Management 6.0.2 iFix17
- Rational Team Concert 6.0.2 iFix17
- Rational Quality Manager 6.0.2 iFix17
- Rational DOORS Next Generation 6.0.2 iFix17
- Rational Software Architect Design Manager:_ _Upgrade to version 6.0.2 and install server from CLM 6.0.2 iFix17
- Rational Rhapsody Design Manager:_ _Upgrade to version 6.0.2 and install server from CLM 6.0.2 iFix17
- Rational Engineering Lifecycle Manager:_ _Upgrade to version 6.0.2 and install server from CLM 6.0.2 iFix17
For the 5.x releases, upgrade to version 5.0.2 iFix26 or later
- Rational Collaborative Lifecycle Management 5.0.2 iFix26
- Rational Team Concert 5.0.2 iFix26
- Rational Quality Manager 5.0.2 iFix26
- Rational DOORS Next Generation 5.0.2 iFix26
- Rational Software Architect Design Manager:_ _Upgrade to version 5.0.2 and install server from CLM 5.0.2 iFix26
- Rational Rhapsody Design Manager:_ _Upgrade to version 5.0.2 and install server from CLM 5.0.2 iFix26
- Rational Engineering Lifecycle Manager:_ _Upgrade to version 5.0.2 and install server from CLM 5.0.2 iFix26
For any prior versions of the products listed above, IBM recommends upgrading to a fixed, supported version/release/platform of the product.
If the iFix is not found in the Fix Portal please contact IBM Support.
Workarounds and Mitigations
None
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.02 Low
EPSS
Percentile
87.0%