IBMB19EF7CE6705B06DC806B6DA3FA32018BB6787D11DF1F305AAF1FF8D51B2CA54Security Bulletin: XML entity expansion vulnerabilities in Rational ClearQuest (CVE-2014-3104)
0.003 Low
EPSS
Percentile
69.1%
Summary
IBM Rational ClearQuest is vulnerable to XML entity expansion attacks. These attacks could cause a denial of service.
Vulnerability Details
| Subscribe to My Notifications to be notified of important product support alerts like this.
- Follow this link for more information (requires login with your IBM ID)
—|—
CVE ID: CVE-2014-3104
**Description:**IBM Rational ClearQuest is vulnerable to a denial of service, caused by the failure to properly detect recursion during entity expansion by the XML parser. A remote attacker could exploit this vulnerability using a specially-crafted XML document containing a large number of nested entity references to consume all available memory resources.
CVSS Base Score: 5.0 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/94311> for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Affected Products and Versions
ClearQuest version
| Status
—|—
8.0.1 through 8.0.1.4| Affected
8.0 through 8.0.0.11| Affected
7.1.2 through 7.1.2.14| Affected
7.1.0.x, 7.1.1.x (all versions and fix packs)| Affected
Remediation/Fixes
Upgrade to one of the following releases:
| Affected Versions | Applying the fix |
|---|---|
| 8.0.1.x | Install Rational ClearQuest Fix Pack 5 (8.0.1.5) for 8.0.1 |
| 8.0.0.x | Install Rational ClearQuest Fix Pack 12 (8.0.0.12) for 8.0 |
| 7.1.2.x | Install Rational ClearQuest Fix Pack 15 (7.1.2.15) for 7.1.2 |
| 7.1.1.x | Install Rational ClearQuest Fix Pack 15 (7.1.2.15) for 7.1.2 |
Note: 7.1.2.15 inter-operates with all 7.1.1.x systems and can be installed in the same way as 7.1.1.x fix packs.
Workarounds and Mitigations
None
Related
0.003 Low
EPSS
Percentile
69.1%