Security Bulletin: SSL timing vulnerabilities in ClearCase Remote Client (CVE-2014-0411)

Summary

An attacker can monitor a long-lived encrypted CCRC session and potentially decrypt the entire session.

Vulnerability Details

| Subscribe to My Notifications to be notified of important product support alerts like this.

• Follow this link for more information (requires login with your IBM ID)
  —|—

CVE ID:CVE-2014-0411

**Description:**Timing differences based on the validity of messages can be exploited to decrypt an entire SSL session. The exploit is not trivial, requiring a man-in-the-middle position and a long time (around 20 hours). ClearCase Remote Client is vulnerable to this attack if a single operation runs for such a long time.

CVSS Base Score: 4**
CVSS Temporal Score**: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/90357&gt; for the current score CVSS Environmental Score*: Undefined **CVSS Vector: **(AV:N/AC:H/Au:N/C:P/I:P/A:N)

Affected Products and Versions

Only the ClearCase Remote Client/ClearTeam Explorer component of ClearCase is affected.

ClearCase Remote Client/ClearTeam Explorer version

|

Status

—|—

8.0.1 through 8.0.1.3

|

Affected

8.0 through 8.0.0.10

|

Affected

7.1.2 through 7.1.2.13

|

Affected

7.1.0.x, 7.1.1.x (all versions and fix packs)

|

Affected

7.0.x

|

Not affected

Remediation/Fixes

The solution is to upgrade to a newer fix pack of ClearCase. Please see below for information on the fixes available.

Affected Versions

|

** Applying the fix**

—|—

8.0.1.x

| Install Rational ClearCase Fix Pack 4 (8.0.1.4) for 8.0.1

8.0.0.x

| Install Rational ClearCase Fix Pack 11 (8.0.0.11) for 8.0

7.1.2.x (except HP-UX)

| Install Rational ClearCase Fix Pack 14 (7.1.2.14) for 7.1.2

7.1.1.x (except HP-UX)
7.1.0.x (except HP-UX)

| Install Rational ClearCase Fix Pack 14 (7.1.2.14) for 7.1.2

• Note: 7.1.2.14 inter-operates with all 7.1.1.x systems, and can be installed in the same way as 7.1.1.x fix packs.
  7.1.2.x, 7.1.1.x, 7.1.0.x (HP-UX)| Customers with extended support contracts should install Rational ClearCase Fix Pack 16 (7.1.2.16)

Notes:

• If you use CCRC as an extension offering installed into an Eclipse shell (one not provided as part of a ClearCase release), you should update the Java™ Virtual Machine used by Eclipse to include a fix for CVE-2014-0411. Contact the supplier of your Eclipse or Java™ Virtual Machine for instructions on updating Eclipse.
• ClearCase 7.1.x for HP-UX uses the HP® JRE for J2SE™ HP-UX® 11i platform, adapted by IBM for IBM Software, Version 5.0. The fixes for this issue came in a later Java update for this platform, and are now available in a later ClearCase fix pack.
• Additional vulnerabilities in Java as used by Rational ClearCase have been published. Please review Security Bulletin: Java security vulnerabilities in ClearCase Remote Client (CVE-2014-4263, CVE-2014-4244) to determine whether these vulnerabilities apply to your deployment.

Workarounds and Mitigations

None