Security Bulletin: Rational RequisitePro affected by OpenSSL vulnerabilities (CVE-2014-0224, CVE-2014-3470)

Summary

Security vulnerabilities have been discovered in OpenSSL that were reported on June 5, 2014 by the OpenSSL Project.

Vulnerability Details

| Subscribe to My Notifications to be notified of important product support alerts like this.

• Follow this link for more information (requires login with your IBM ID)
  —|—

CVE-ID:CVE-2014-0224

**Description:**OpenSSL is vulnerable to a man-in-the-middle attack, caused by the use of weak keying material in SSL/TLS clients and servers. A remote attacker could exploit this vulnerability to conduct man-in-the-middle attacks to decrypt and modify traffic.

CVSS Base Score: 5.8 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93586&gt; for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

CVE-ID:CVE-2014-3470

**Description:**OpenSSL is vulnerable to a denial of service, caused by the implementation of anonymous ECDH ciphersuites. A remote attacker could exploit this vulnerability to cause a denial of service.

CVSS Base Score: 4.3 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93589&gt; for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

Affected Products and Versions

IBM Rational RequisitePro versions:

You are vulnerable if you use ratlperl, ccperl or cqperl to run your own perl scripts, and those scripts use SSL connections.

Remediation/Fixes

Apply a fix pack for your appropriate ReqPro release. These fix packs include OpenSSL 1.0.1h

Workarounds and Mitigations

Avoid usage of ratlperl, ccperl or cqperl with SSL until you apply the fixes listed above.