There are multiple vulnerabilities in IBM® Runtime Environment Java™ Technology Edition, Versions 5 and 6 that are used by IBM Rational ClearQuest. These issues were disclosed as part of the IBM Java SDK updates in April 2015.
CVEID: CVE-2015-2613**
DESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104734 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2015-2601**
DESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104733 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2015-2625**
DESCRIPTION:** An unspecified vulnerability related to the JSSE component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 2.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104743 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVEID: CVE-2015-1931**
DESCRIPTION:** IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system.
CVSS Base Score: 2.1
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/102967>_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)
IBM Rational ClearQuest, versions 7.1.0.x, 7.1.1.x, 7.1.2.x, 8.0.0.x, 8.0.1.x, in the following components:
ClearQuest version
|
Status
—|—
8.0.1 through 8.0.1.9
|
Affected
8.0 through 8.0.0.16
|
Affected
7.1.0.x, 7.1.1.x, 7.1.2.x (all versions and fix packs)
|
Affected
The solution is to install a fix that includes an updated Java™ Virtual Machine with fixes for the issues, and to apply fixes for WebSphere Application Server (WAS).
ClearQuest Eclipse client** fixes**
The solution is to update to the latest fix pack.
Affected Versions
|
** Applying the fix**
—|—
8.0.1 through 8.0.1.9
| Install Rational ClearQuest Fix Pack 10 (8.0.1.10) for 8.0.1.
8.0 through 8.0.0.16
| Install Rational ClearQuest Fix Pack 17 (8.0.0.17) for 8.0.
7.1.2.x (all fix packs)
7.1.1.x (all fix packs)
7.1.0.x (all fix packs)
| Customers on extended support contracts should contact Rational Customer Support
ClearQuest Server components
<SDLC-home>/ClearQuest/cqweb/cqwebprofile
), then execute the script: bin/versionInfo.sh
(UNIX) or bin\versionInfo.bat
(Windows). The output includes a section “IBM WebSphere Application Server”. Make note of the version listed in this section.and apply the fixes for the version of WAS used for ClearQuest Web.
Affected Versions
|
** Applying the fix**
—|—
8.0.0.x
8.0.1.x| Apply the appropriate WebSphere Application Server fix directly to your CQ server host. No ClearQuest-specific steps are necessary.
7.1.2.x (all fix packs)
7.1.1.x (all fix packs)
7.1.0.x (all fix packs)| Customers on extended support contracts should contact customer support.
For 7.1.x, 7.0.x and earlier releases, IBM recommends upgrading to a fixed, supported version/release/platform of the product.
None