IBM Rational ClearQuest is vulnerable to XML entity expansion attacks. These attacks could cause a denial of service.
| Subscribe to My Notifications to be notified of important product support alerts like this.
CVE ID: CVE-2014-3104
**Description:**IBM Rational ClearQuest is vulnerable to a denial of service, caused by the failure to properly detect recursion during entity expansion by the XML parser. A remote attacker could exploit this vulnerability using a specially-crafted XML document containing a large number of nested entity references to consume all available memory resources.
CVSS Base Score: 5.0 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/94311> for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
ClearQuest version
| Status
—|—
8.0.1 through 8.0.1.4| Affected
8.0 through 8.0.0.11| Affected
7.1.2 through 7.1.2.14| Affected
7.1.0.x, 7.1.1.x (all versions and fix packs)| Affected
Upgrade to one of the following releases:
Affected Versions | Applying the fix |
---|---|
8.0.1.x | Install Rational ClearQuest Fix Pack 5 (8.0.1.5) for 8.0.1 |
8.0.0.x | Install Rational ClearQuest Fix Pack 12 (8.0.0.12) for 8.0 |
7.1.2.x | Install Rational ClearQuest Fix Pack 15 (7.1.2.15) for 7.1.2 |
7.1.1.x | Install Rational ClearQuest Fix Pack 15 (7.1.2.15) for 7.1.2 |
Note: 7.1.2.15 inter-operates with all 7.1.1.x systems and can be installed in the same way as 7.1.1.x fix packs.
None