IBME01D76BCB9EF678F57AED3EA444B1CC15E1E1A76D4E8C6F2FC1F724EFBFCDD5DSecurity Bulletin: Multiple vulnerabilites affect IBM Jazz Foundation and IBM Engineering products.
0.001 Low
EPSS
Percentile
32.9%
Summary
There are multiple vulnerabilities that are used by IBM Jazz Team Server affecting the following IBM Jazz Team Server based Applications: Engineering Lifecycle Management (ELM), IBM Engineering Requirements Management DOORS Next (DOORS Next), IBM Engineering Lifecycle Optimization - Engineering Insights (ENI), IBM Engineering Workflow Management (EWM), IBM Engineering Systems Design Rhapsody - Design Manager (RDM), IBM Engineering Systems Design Rhapsody - Model Manager (RMM).
Vulnerability Details
CVEID:CVE-2020-4544
**DESCRIPTION:**IBM Jazz Foundation could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/183189 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
CVEID:CVE-2020-4697
**DESCRIPTION:**IBM Engineering Workflow Management is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/186790 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
CVEID:CVE-2020-4487
**DESCRIPTION:**IBM Engineering Workflow Management could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/181862 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
CVEID:CVE-2020-4691
**DESCRIPTION:**IBM Engineering Workflow Management is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 4.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/186698 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)
CVEID:CVE-2020-4733
**DESCRIPTION:**IBM Engineering Test Management is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/188127 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| RMM | 6.0.6.1 |
| RMM | 6.0.6 |
| RMM | 7.0 |
| RMM | 7.0.1 |
| RMM | 6.0.2 |
| RELM | 6.0.6.1 |
| RELM | 6.0.6 |
| ENI | 7.0 |
| ENI | 7.0.1 |
| RELM | 6.0.2 |
| EWM | 7.0.1 |
| RTC | 6.0.6 |
| RTC | 6.0.2 |
| RTC | 6.0.6.1 |
| EWM | 7.0 |
| RTC | 6.0.6 |
| CLM | 6.0.6.1 |
| CLM | 6.0.6 |
| ELM | 7.0 |
| ELM | 7.0.1 |
| CLM | 6.0.2 |
| Rhapsody DM | 6.0.6 |
| Rhapsody DM | 6.0.6.1 |
| Rhapsody DM | 6.0.2 |
| RDM | 7.0 |
| RDM | 7.0.1 |
| EWM | 7.0.1 |
| RQM | 6.0.6.1 |
| RQM | 6.0.6 |
| ETM | 7.0.0 |
| RQM | 6.0.2 |
| RDNG | 6.0.2 |
| DOORS Next | 7.0 |
| DOORS Next | 7.0.1 |
| RDNG | 6.0.6.1 |
| RDNG | 6.0.6 |
Remediation/Fixes
For the 6.0 - 7.0.1 releases:
Upgrade to version 7.0.1 iFix005 or later
- IBM Engineering Lifecycle Management 7.0.1 iFix005
- IBM Engineering Requirements Management DOORS Next 7.0.1 iFix005
- IBM Engineering Test Management 7.0.1 iFix005
- IBM Engineering Workflow Management 7.0.1 iFix005
- IBM Engineering Lifecycle Optimization - Engineering Insights:_ _Upgrade to version 7.0.1 and install server from ELM 7.0.1 iFix005
- IBM Engineering Systems Design Rhapsody - Design Manager:_ _Upgrade to version 7.0.1 and install server from ELM 7.0.1 iFix005
- IBM Engineering Systems Design Rhapsody - Model Manager:_ _Upgrade to version 7.0.1 and install server from ELM 7.0.1 iFix005
Upgrade to version 7.0 iFix007 or later
- IBM Engineering Lifecycle Management 7.0 iFix007
- IBM Engineering Requirements Management DOORS Next 7.0 iFix007
- IBM Engineering Test Management 7.0 iFix007
- IBM Engineering Workflow Management 7.0 iFix007
- IBM Engineering Lifecycle Optimization - Engineering Insights:_ _Upgrade to version 7.0 and install server from ELM 7.0 iFix007
- IBM Engineering Systems Design Rhapsody - Design Manager:_ _Upgrade to version 7.0 and install server from ELM 7.0 iFix007
- IBM Engineering Systems Design Rhapsody - Model Manager:_ _Upgrade to version 7.0 and install server from ELM 7.0 iFix007
- Upgrade to version 6.0.6.1 iFix011 or later
- Rational Collaborative Lifecycle Management 6.0.6.1 iFix011
- Rational DOORS Next Generation 6.0.6.1 iFix011
- Rational Quality Manager 6.0.6.1 iFix011
- Rational Team Concert 6.0.6.1 iFix011
- Rational Engineering Lifecycle Manager:_ _Upgrade to version 6.0.6.1 and install server from CLM 6.0.6.1 iFix011
- Rational Rhapsody Design Manager:_ _Upgrade to version 6.0.6.1 and install server from CLM 6.0.6.1 iFix011
- IBM Rhapsody Model Manager:_ _Upgrade to version 6.0.6.1 and install server from CLM 6.0.6.1 iFix011
- Rational Software Architect Design Manager:_ _Upgrade to version 6.0.6.1 and install server from CLM 6.0.6.1 iFix011
Upgrade to version 6.0.6 iFix017 or later
- Rational Collaborative Lifecycle Management 6.0.6 iFix017
- Rational DOORS Next Generation 6.0.6 iFix017
- Rational Quality Manager 6.0.6 iFix017
- Rational Team Concert 6.0.6 iFix017
- Rational Engineering Lifecycle Manager:_ _Upgrade to version 6.0.6 and install server from CLM 6.0.6 iFix017
- Rational Rhapsody Design Manager:_ _Upgrade to version 6.0.6 and install server from CLM 6.0.6 iFix017
- IBM Rhapsody Model Manager:_ _Upgrade to version 6.0.6 and install server from CLM 6.0.6 iFix017
- Rational Software Architect Design Manager:_ _Upgrade to version 6.0.6 and install server from CLM 6.0.6 iFix017
Upgrade to version 6.0.2 iFix025 or later
- Rational Collaborative Lifecycle Management 6.0.2 iFix025
- Rational Team Concert 6.0.2 iFix025
- Rational Quality Manager 6.0.2 iFix025
- Rational DOORS Next Generation 6.0.2 iFix025
- Rational Software Architect Design Manager:_ _Upgrade to version 6.0.2 and install server from CLM 6.0.2 iFix025
- Rational Rhapsody Design Manager:_ _Upgrade to version 6.0.2 and install server from CLM 6.0.2 iFix025
- Rational Engineering Lifecycle Manager:_ _Upgrade to version 6.0.2 and install server from CLM 6.0.2 iFix025
For any prior versions of the products listed above, IBM recommends upgrading to a fixed, supported version/release/platform of the product.
If the iFix is not found in the Fix Portal please contact IBM Support.
Workarounds and Mitigations
None
Related
0.001 Low
EPSS
Percentile
32.9%