Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Rational ClearCase (CVE-2015-0138, CVE-2014-6593, CVE-2015-0383, CVE-2015-0410)

Summary

There are multiple vulnerabilities in IBM® Runtime Environment Java™ Technology Edition, Versions 5 and 6 that are used by IBM Rational ClearCase. These issues were disclosed as part of the IBM Java SDK updates in January 2015. This bulletin also addresses the “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability.

Vulnerability Details

CVEID: CVE-2015-0138**
DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID: CVE-2014-6593**
DESCRIPTION:** An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 4
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/100153&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

CVEID: CVE-2015-0383 DESCRIPTION: An unspecified vulnerability in Oracle Java SE and JRockit related to the Hotspot component has no confidentiality impact, partial integrity impact, and complete availability impact.
CVSS Base Score: 5.4
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/100148&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:N/I:P/A:C)

CVEID: CVE-2015-0410**
DESCRIPTION:** An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/100151&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Affected Products and Versions

Only the ClearCase Remote Client/ClearTeam Explorer component of ClearCase is affected by CVE-2014-6593, CVE-2015-0383, CVE-2015-0410.

ClearCase Remote Client/ClearTeam Explorer version

|

Status

—|—

8.0.1 through 8.0.1.7

|

Affected by all CVEs listed above

8.0 through 8.0.0.14

|

Affected by all CVEs listed above

7.1.2 through 7.1.2.17

|

Affected by all CVEs listed above

7.1.0.x, 7.1.1.x (all versions and fix packs)

|

Affected by all CVEs listed above

However, other ClearCase components are affected by the “FREAK” attack, as disclosed in CVE-2015-0138 and CVE-2015-0204. See the following bulletins for additional fixes for other components of ClearCase:
Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase (CVE-2015-0138)
Security Bulletin: Vulnerabilities in GSKit affect IBM Rational ClearCase (CVE-2015-0138)
Security Bulletin: Vulnerabilities in OpenSSL affect Rational ClearCase (CVE-2014-3570, CVE-2014-3572, CVE-2015-0204)

Remediation/Fixes

The solution is to update to the latest fix pack.

Affected Versions

|

** Applying the fix**

—|—

8.0.1 through 8.0.1.7

| Install Rational ClearCase Fix Pack 8 (8.0.1.8) for 8.0.1

8.0 through 8.0.0.14

| Install Rational ClearCase Fix Pack 15 (8.0.0.15) for 8.0

7.1.2 through 7.1.2.17
7.1.1.x (all fix packs)
7.1.0.x (all fix packs)

| Customers on extended support contracts should install Rational ClearCase Fix Pack 18 (7.1.2.18) for 7.1.2

For unsupported versions, IBM recommends upgrading to a fixed, supported version/release/platform of the product.

Notes:

• If you use CCRC as an extension offering installed into an Eclipse shell (one not provided as part of a ClearCase release), you should update the Java™ Virtual Machine used by Eclipse to include a fix for the above issues. Contact the supplier of your Eclipse or Java™ Virtual Machine for instructions on updating Eclipse.

Workarounds and Mitigations

None