Security Bulletin: A vulnerability in the GSKit component of IBM Rational RequisitePro (CVE-2016-0201)

Summary

A vulnerability has been addressed in the GSKit component of Rational RequisitePro.

Vulnerability Details

CVEID: CVE-2016-0201 DESCRIPTION: IBM GSKit could allow a remote attacker to obtain sensitive information, caused by a MD5 collision. An attacker could exploit this vulnerability to obtain authentication credentials.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109310 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

You are affected by this vulnerability if you authenticate to RequisiteWeb via LDAP or if you have configured IHS for SSL connections.

Version

|

Status

—|—

7.1.4 through 7.1.4.10

|

Affected

7.1.3 through 7.1.3.17

|

Affected

Remediation/Fixes

Remediation for Rational RequisiteWeb component is as follows:

1. Install an updated GSKit runtime provided by Rational Customer Support.

Affected version

|

Applying the fix

—|—

7.1.4.x

| Contact Rational Customer Support to obtain the GSKit update installer.

7.1.3.x

| Contact Rational Customer Support to obtain the GSKit update installer.

2. Applying the IHS fix:

• Determine the IHS version used by your ReqWeb Server. Navigate to the IBM HTTP Server installation directory (typically C:\Program Files (x86)\IBM\HTTPServer), then execute the script: bin\versionInfo.bat. The output includes a section “IBM HTTP Server for WebSphere Application Server”. Make note of the version listed in this section.
• Review the following IHS security bulletin: _ _Security Bulletin:Vulnerabilities in the GSKit component of IBM HTTP Server (CVE-2016-0201 and CVE-2015-7420)
• Apply the relevant fixes to your IBM HTTP Server installation used for RequisiteWeb.

Workarounds and Mitigations

None