Security Bulletin: Multiple security vulnerabilities have been identified in GSKit shipped with IBM ClearQuest (CVE-2016-0702, CVE-2018-1447, CVE-2018-1427, CVE-2016-0705)

Summary

Vulnerabilities have been addressed in the GSKit component of IBM Rational ClearQuest.

Vulnerability Details

CVEID: CVE-2016-0702**
DESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys.
CVSS Base Score: 2.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111144 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2018-1447**
DESCRIPTION:** The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action.
CVSS Base Score: 5.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/139972 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:_ _CVE-2018-1427**
DESCRIPTION:*IBM GSKit contains several environment variables that a local attacker could overflow and cause a denial of service.
CVSS Base Score: 6.2
CVSS Temporal Score: See_ _https://exchange.xforce.ibmcloud.com/vulnerabilities/139072 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2016-0705**
DESCRIPTION:*OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111140 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

ClearQuest version

|

Status

—|—

8.0 through 8.0.0.21
8.0.1 through 8.0.1.16
9.0 through 9.0.0.6
9.0.1 through 9.0.1.2

|

Affected

ClearQuest CM Server release

|

Status

—|—

8.0 through 8.0.0.21
8.0.1 through 8.0.1.16
9.0 through 9.0.0.6
9.0.1 through 9.0.1.2

|

Affected

ClearQuest CM Server:
All platforms of the indicated releases.

You are vulnerable if you configure Rational ClearQuest to use LDAP authentication with secure sockets connections.

Remediation/Fixes

Note: After applying the fixes as noted below, please refer to this document http://publib.boulder.ibm.com/httpserv/ihsdiag/restash.html for information concerning password re-stashing. It is advised that you re-stash your password due to CVE-2018-1447 after you apply the fixes.

The solution is to upgrade to a newer fix pack or release of ClearQuest, and to apply fixes for IBM HTTP Server (IHS).

Affected Versions

|

** Fixes**

—|—

9.0.1 through 9.0.1.2
9.0 through 9.0.0.6

| Install Rational ClearQuest Fix Pack 3 (9.0.1.3) for 9.0.1

8.0.1 through 8.0.1.16
8.0 through 8.0.0.21

| Install Rational ClearQuest Fix Pack 17 (8.0.1.17) for 8.0.1

ClearQuest CM Server:
Apply an IHS fix for the issue:

1. Determine the IHS version used by your ClearQuest CM server. Navigate to the IBM HTTP Server installation directory (typically /opt/ibm/HTTPServer or C:\Program Files (x86)\IBM\HTTPServer), then execute the script: bin/versionInfo.sh (UNIX) or bin\versionInfo.bat (Windows). The output includes a section “IBM HTTP Server for WebSphere Application Server”. Make note of the version listed in this section.
2. Review the following IHS security bulletin for the available fixes: _ _Security Bulletin: Multiple vulnerabilities GSKit bundled with IBM HTTP Server.**Note: **there may be newer security fixes for IBM HTTP Server. Follow the link above (in the section "