Lucene search

K
ibmIBMED3398C5C326B83DCA179D31DA4F4E20488FC75CC500479672179B7E4631AE94
HistoryMar 01, 2024 - 7:00 a.m.

Security Bulletin: Multiple vulnerabilities in libcURL affect IBM Rational ClearCase.

2024-03-0107:00:05
www.ibm.com
24
ibm rational clearcase
libcurl
remote attackers
security restrictions
dos
mismatch wildcard patterns
fix packs

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

0.002 Low

EPSS

Percentile

52.3%

Summary

libcURL vulnerabilities were disclosed by the libcURL Project. libcURL is used by IBM Rational ClearCase. [CVE-2023-28322, CVE-2023-28320, CVE-2023-28321]

Vulnerability Details

CVEID:CVE-2023-28322
**DESCRIPTION:**cURL libcurl could allow a remote attacker to bypass security restrictions, caused by a flaw in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST… By sending a specially crafted request, an attacker could exploit this vulnerability to cause application to misbehave and either send off the wrong data or use memory after free or similar in the second transfer.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/255626 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2023-28320
**DESCRIPTION:**cURL libcurl is vulnerable to a denial of service, caused by a race condition flaw in the siglongjmp() function. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause the application to crash or misbehave.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/255624 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2023-28321
**DESCRIPTION:**cURL libcurl could allow a remote attacker to bypass security restrictions, caused by a flaw when listed as “Subject Alternative Name” in TLS server certificates. By sending a specially crafted request, an attacker could exploit this vulnerability to accept mismatch wildcard patterns.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/255625 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Rational ClearCase 9.1
IBM Rational ClearCase 9.0.2

Remediation/Fixes

Apply a fix pack as listed in the table below.

Affected Versions

|

Applying the fix

—|—
9.1 through 9.1.0.4| Install Rational ClearCase Fix Pack 5 (9.1.0.5) for 9.1
9.0.2 through 9.0.2.7| Install Rational ClearCase Fix Pack 8 (9.0.2.8) for 9.0.2

For 9.0.2.X and earlier releases, IBM recommends upgrading to a fixed, supported version/release/platform of the product.

_For 10.0.0.x releases, IBM recommends upgrading to 10.0.1.x release. _

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmrational_clearcaseMatch8.0.0
OR
ibmrational_clearcaseMatch8.0.1
OR
ibmrational_clearcaseMatch9.0.0
OR
ibmrational_clearcaseMatch9.0.1
OR
ibmrational_clearcaseMatch9.0.2
OR
ibmrational_clearcaseMatch9.1

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

0.002 Low

EPSS

Percentile

52.3%