10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.12 Low
EPSS
Percentile
94.5%
Security vulnerabilities have been identified in the IBM Jazz Team Server affecting the following IBM Jazz Team Server based Applications: Collaborative Lifecycle Management (CLM), Rational Requirements Composer (RRC), Rational DOORS Next Generation (RDNG), Rational Engineering Lifecycle Manager (RELM), Rational Team Concert (RTC), Rational Quality Manager (RQM), Rational Rhapsody Design Manager (Rhapsody DM), and Rational Software Architect (RSA DM).
| Subscribe to My Notifications to be notified of important product support alerts like this.
IBM Jazz Team Server applications are shipped with an IBM SDK for Java that is based on the Oracle JDK. Oracle has released January and April 2014 critical patch updates (CPU) which contain security vulnerability fixes. The IBM SDK for Java has been updated to incorporate these fixes.
IBM Jazz Team Server may be deployed on either IBM WebSphere Application Server (WAS) or Apache Tomcat. The remediation instructions are dependent on whether your deployment uses WAS or Tomcat.
IBM Jazz Team Server and the CLM applications (RRC, RTC, RQM, RDNG), RELM, Rhapsody DM, and RSA DM applications are affected by the following vulnerabilities disclosed in and corrected by the JRE January and April 2014 critical patch updates:
April 2014 CPU vulnerabilities:
CVEID: CVE-2014-2421
Description: An unspecified vulnerability related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/92462> for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-6954
Description: A remote attacker could exploit this vulnerability using specially crafted PNG image data to cause the application to crash.
CVSS Base Score: 5 **CVSS Temporal Score:**See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/89917>_ for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2013-6629
Description: An attacker could exploit this vulnerability using specially crafted JPEG image data to read uninitialized memory and obtain sensitive information.
CVSS Base Score: 5 **CVSS Temporal Score:**See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/88783>_ for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
January 2014 vulnerabilities:
CVEID: CVE-2014-0411
Description: An unspecified vulnerability in Java JRE allows remote attackers to affect confidentiality and integrity via vectors related to JSSE.
CVSS Base Score: 4 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/90357> for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
CVEID: CVE-2014-0416
Description: An unspecified vulnerability in Java JRE allows remote attackers to affect integrity via vectors related to JAAS. **CVSS Base Score:**5 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/90349> for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Rational Quality Manager 2.0 - 2.0.1 (All Editions)
Rational Quality Manager 3.0 - 3.0.1.6 iFix2
Rational Quality Manager 4.0 - 4.0.6
Rational Quality Manager 5.0
Rational Team Concert 2.0 - 2.0.0.2
Rational Team Concert 3.0 - 3.0.6 iFix2
Rational Team Concert 4.0 - 4.0.6
Rational Team Concert 5.0
Rational Requirements Composer 2.0 - 2.0.0.4 (All Editions)
Rational Requirements Composer 3.0 - 3.0.1.6 iFix 2
Rational Requirements Composer 4.0 - 4.0.6
Rational DOORS Next Generation 4.0 - 4.0.6
Rational DOORS Next Generation 5.0
Rational Engineering Lifecycle Manager 1.0-1.0.0.1
Rational Engineering Lifecycle Manager 4.0.3-4.0.6
Rational Rhapsody Design Manager 3.0-3.0.1
Rational Rhapsody Design Manager 4.0-4.0.6
Rational Rhapsody Design Manager 5.0
Rational Software Architect Design Manager 3.0-3.0.1
Rational Software Architect Design Manager 4.0-4.0.6
Rational Software Architect Design Manager 5.0
If your product is deployed on WebSphere Application Server (WAS) and your deployment does not use an Eclipse based client nor the RM Browser plugin, then it is sufficient to continue using the existing version of the your Rational product, and only upgrade the JRE in the WAS server according to these instructions:
IBM Security Bulletin: Multiple vulnerabilities in current IBM SDK for Java for WebSphere Application Server April 2014 CPU.
Otherwise:
Upgrade your products to version 4.0.6 or5.0, and then perform the following upgrades:
OR:
Note: for any of the below remediations, if you are a WAS deployment, then WAS must also be upgraded, in addition to performing your product upgrades.
_
For the 3.x releases upgrade to version 3.0.1.6 iFix 3
For the 2.x releases, contact IBM support for additional details on the fix.
For the 1.x releases of Rational Engineering Lifecycle Manager, contact IBM support for additional details on the fix.
The version 5.0 Rational products contain the fixes for the January 2014 CPU vulnerabilities, but not the April 2014 CPU vulnerabilities.
To obtain the April 2014 CPU fixes in version 5.0, you must also upgrade the IBM SDK for Java as referenced above.