Security Bulletin: Security vulnerability in IBM Jazz Team Server affects multiple IBM Rational products based on IBM Jazz technology (CVE-2014-2421, CVE-2013-6954, CVE-2013-6629, CVE-2014-0411, CVE-2014-0416)

Summary

Security vulnerabilities have been identified in the IBM Jazz Team Server affecting the following IBM Jazz Team Server based Applications: Collaborative Lifecycle Management (CLM), Rational Requirements Composer (RRC), Rational DOORS Next Generation (RDNG), Rational Engineering Lifecycle Manager (RELM), Rational Team Concert (RTC), Rational Quality Manager (RQM), Rational Rhapsody Design Manager (Rhapsody DM), and Rational Software Architect (RSA DM).

Vulnerability Details

| Subscribe to My Notifications to be notified of important product support alerts like this.

• Follow this link for more information (requires login with your IBM ID)
  —|—

IBM Jazz Team Server applications are shipped with an IBM SDK for Java that is based on the Oracle JDK. Oracle has released January and April 2014 critical patch updates (CPU) which contain security vulnerability fixes. The IBM SDK for Java has been updated to incorporate these fixes.

IBM Jazz Team Server may be deployed on either IBM WebSphere Application Server (WAS) or Apache Tomcat. The remediation instructions are dependent on whether your deployment uses WAS or Tomcat.

IBM Jazz Team Server and the CLM applications (RRC, RTC, RQM, RDNG), RELM, Rhapsody DM, and RSA DM applications are affected by the following vulnerabilities disclosed in and corrected by the JRE January and April 2014 critical patch updates:

April 2014 CPU vulnerabilities:

CVEID: CVE-2014-2421

Description: An unspecified vulnerability related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact.

CVSS Base Score: 10 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/92462&gt; for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-6954

Description: A remote attacker could exploit this vulnerability using specially crafted PNG image data to cause the application to crash.

CVSS Base Score: 5 **CVSS Temporal Score:**See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/89917&gt;_ for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2013-6629

Description: An attacker could exploit this vulnerability using specially crafted JPEG image data to read uninitialized memory and obtain sensitive information.

CVSS Base Score: 5 **CVSS Temporal Score:**See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/88783&gt;_ for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

January 2014 vulnerabilities:

CVEID: CVE-2014-0411

Description: An unspecified vulnerability in Java JRE allows remote attackers to affect confidentiality and integrity via vectors related to JSSE.

CVSS Base Score: 4 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/90357&gt; for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

CVEID: CVE-2014-0416

Description: An unspecified vulnerability in Java JRE allows remote attackers to affect integrity via vectors related to JAAS. **CVSS Base Score:**5 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/90349&gt; for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

Affected Products and Versions

Rational Quality Manager 2.0 - 2.0.1 (All Editions)
Rational Quality Manager 3.0 - 3.0.1.6 iFix2
Rational Quality Manager 4.0 - 4.0.6
Rational Quality Manager 5.0

Rational Team Concert 2.0 - 2.0.0.2
Rational Team Concert 3.0 - 3.0.6 iFix2
Rational Team Concert 4.0 - 4.0.6
Rational Team Concert 5.0

Rational Requirements Composer 2.0 - 2.0.0.4 (All Editions)
Rational Requirements Composer 3.0 - 3.0.1.6 iFix 2
Rational Requirements Composer 4.0 - 4.0.6

Rational DOORS Next Generation 4.0 - 4.0.6
Rational DOORS Next Generation 5.0

Rational Engineering Lifecycle Manager 1.0-1.0.0.1
Rational Engineering Lifecycle Manager 4.0.3-4.0.6

Rational Rhapsody Design Manager 3.0-3.0.1
Rational Rhapsody Design Manager 4.0-4.0.6
Rational Rhapsody Design Manager 5.0

Rational Software Architect Design Manager 3.0-3.0.1
Rational Software Architect Design Manager 4.0-4.0.6
Rational Software Architect Design Manager 5.0

Remediation/Fixes

If your product is deployed on WebSphere Application Server (WAS) and your deployment does not use an Eclipse based client nor the RM Browser plugin, then it is sufficient to continue using the existing version of the your Rational product, and only upgrade the JRE in the WAS server according to these instructions:
IBM Security Bulletin: Multiple vulnerabilities in current IBM SDK for Java for WebSphere Application Server April 2014 CPU.

Otherwise:
Upgrade your products to version 4.0.6 or5.0, and then perform the following upgrades:

How to update the IBM SDK for Java of IBM Rational products based on version 4.0.6 and 5.0 of IBM’s Jazz technology

OR:
Note: for any of the below remediations, if you are a WAS deployment, then WAS must also be upgraded, in addition to performing your product upgrades.

• For the 5.0 release, perform the above remediation or a fix is available by upgrading to the CLM 5.0.1 or later releases
  • Rational Quality Manager 5.0.1
  • Rational Team Concert 5.0.1
  • Rational Requirements Composer is now called Rational DOORS Next Generation 5.0.1
  • Rational DOORS Next Generation 5.0.1
  • Rational Software Architect Design Manager 5.0.1
  • Rational Rhapsody Design Manager 5.0.1
  • Rational Engineering Lifecycle Manager 5.0.1
  • • For the 4.x releases, upgrade to 4.0.7
  • Rational Quality Manager 4.0.7
  • Rational Team Concert 4.0.7
  • Rational Requirements Composer 4.0.7
  • Rational Software Architect Design Manager 4.0.7
  • Rational Rhapsody Design Manager 4.0.7
  • Rational DOORS Next Generation 4.0.7
  • Rational Engineering Lifecycle Manager 4.0.7_

_

• For the 3.x releases upgrade to version 3.0.1.6 iFix 3

  • Rational Quality Manager 3.0.1.6 iFix 3
  • Rational Team Concert 3.0.1.6 iFix 3
  • Rational Requirements Composer 3.0.1.6 iFix 3

• For the 2.x releases, contact IBM support for additional details on the fix.

• For the 1.x releases of Rational Engineering Lifecycle Manager, contact IBM support for additional details on the fix.

Workarounds and Mitigations

The version 5.0 Rational products contain the fixes for the January 2014 CPU vulnerabilities, but not the April 2014 CPU vulnerabilities.

To obtain the April 2014 CPU fixes in version 5.0, you must also upgrade the IBM SDK for Java as referenced above.