Lucene search

K
ibmIBMB8AFBDF45AEF0460886E5F93AC90DAE8F281918FBE5E510F9AEB0E2A09E65A0A
HistoryJun 17, 2018 - 5:19 a.m.

Security Bulletin: Multiple security vulnerabilities have been identified in Jazz Team Server shipped with Jazz Reporting Service (CVE-2016-0762,CVE-2016-6797)

2018-06-1705:19:51
www.ibm.com
19

EPSS

0.001

Percentile

49.0%

Summary

Jazz Team Server is shipped as a component of Jazz Reporting Service (JRS). Information about multiple security vulnerabilities affecting Jazz Team Server and Jazz-based products has been published in a security bulletin.

Vulnerability Details

CVEID: CVE-2016-0762**
DESCRIPTION:** Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by the failure to process the user supplied password if the specified user name does not exist by the Realm implementation. An attacker could exploit this vulnerability to conduct a timing attack and determine valid usernames on the system.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/118407&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2016-6797**
DESCRIPTION:** Apache Tomcat could allow a local attacker to gain unauthorized access to the system, caused by an error in the ResourceLinkFactory. An attacker could exploit this vulnerability to gain access to arbitrary global JNDI resources.
CVSS Base Score: 4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/118403&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Principal Product and Version(s)

| Affected Supporting Product(s) and Version(s)
—|—
JRS 5.0, 5.0.1, 5.0.2| Jazz Foundation 5.0, 5.0.1, 5.0.2
JRS 6.0, 6.0.1, 6.0.2, 6.0.3| Jazz Foundation 6.0, 6.0.1, 6.0.2, 6.0.3

  • Both JRS and Jazz Foundation are part of Rational Collaborative Lifecycle Management.

Remediation/Fixes

Consult the security bulletin Security Bulletin: Security vulnerabilities in Apache Tomcat affect multiple IBM Rational products based on IBM’s Jazz technology for vulnerability details and information about fixes.

Workarounds and Mitigations

None