Security Bulletin: Vulnerabilities in GSKit affect IBM Rational ClearQuest (CVE-2015-0138)

Summary

GSKit is an IBM component that is used by IBM Rational ClearQuest. The GSKit that is shipped with IBM Rational ClearQuest contains multiple security vulnerabilities including the “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability. IBM Rational ClearQuest has addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2015-0138 DESCRIPTION: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers.

This vulnerability is also known as the FREAK attack.

CVSS Base Score: 4.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

IBM Rational ClearQuest versions:

Version

|

Status

—|—

8.0.1 through 8.0.1.7

|

Affected

8.0 through 8.0.0.14

|

Affected

7.1.1.x, 7.1.2.x (all versions)

|

Affected

You are vulnerable if you configure Rational ClearQuest to use LDAP authentication with secure sockets connections.

Remediation/Fixes

The solution is to update to the latest fix pack.

Affected Versions

|

** Applying the fix**

—|—

8.0.1.x

|

Install Rational ClearQuest Fix Pack 8 (8.0.1.8)

8.0.0.x

|

Install Rational ClearQuest Fix Pack 15 (8.0.0.15)

7.1.2.x
7.1.1.x

|

Customers with extended support contracts should install Rational ClearQuest Fix Pack 18 (7.1.2.18)

You should verify applying this fix does not cause any compatibility issues.

Workarounds and Mitigations

None