4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:P/A:N
An attacker can monitor a long-lived encrypted CCRC session and potentially decrypt the entire session.
| Subscribe to My Notifications to be notified of important product support alerts like this.
CVE ID:CVE-2014-0411
**Description:**Timing differences based on the validity of messages can be exploited to decrypt an entire SSL session. The exploit is not trivial, requiring a man-in-the-middle position and a long time (around 20 hours). ClearCase Remote Client is vulnerable to this attack if a single operation runs for such a long time.
CVSS Base Score: 4**
CVSS Temporal Score**: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/90357> for the current score CVSS Environmental Score*: Undefined **CVSS Vector: **(AV:N/AC:H/Au:N/C:P/I:P/A:N)
Only the ClearCase Remote Client/ClearTeam Explorer component of ClearCase is affected.
ClearCase Remote Client/ClearTeam Explorer version
|
Status
—|—
8.0.1 through 8.0.1.3
|
Affected
8.0 through 8.0.0.10
|
Affected
7.1.2 through 7.1.2.13
|
Affected
7.1.0.x, 7.1.1.x (all versions and fix packs)
|
Affected
7.0.x
|
Not affected
The solution is to upgrade to a newer fix pack of ClearCase. Please see below for information on the fixes available.
Affected Versions
|
** Applying the fix**
—|—
8.0.1.x
| Install Rational ClearCase Fix Pack 4 (8.0.1.4) for 8.0.1
8.0.0.x
| Install Rational ClearCase Fix Pack 11 (8.0.0.11) for 8.0
7.1.2.x (except HP-UX)
| Install Rational ClearCase Fix Pack 14 (7.1.2.14) for 7.1.2
7.1.1.x (except HP-UX)
7.1.0.x (except HP-UX)
| Install Rational ClearCase Fix Pack 14 (7.1.2.14) for 7.1.2
Notes:
None