6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
There are multiple vulnerabilities in OpenSSL that is used by affect Rational ClearCase. These issues were disclosed on August 6, 2014 by the OpenSSL Project.
| Subscribe to My Notifications to be notified of important product support alerts like this.
CVE-ID: CVE-2014-5139
Description: OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when an SRP ciphersuite is specified without being properly negotiated with the client. A remote attacker could exploit this vulnerability to cause the client to crash.
CVSS Base Score: 5 **CVSS Temporal Score:**See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/95166>_ for more information *CVSS Environmental Score:**Undefined **CVSS Vector: **(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-ID: CVE-2014-3511
Description: OpenSSL could allow a remote attacker to bypass security restrictions, caused by the negotiation of TLS 1.0 instead of higher protocol versions by the OpenSSL SSL/TLS server code when handling a badly fragmented ClientHello message. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to TLS 1.0.
CVSS Base Score: 4.3 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/95162> for more information *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVE-ID: CVE-2014-3509
Description: OpenSSL is vulnerable to a denial of service, caused by a race condition in the ssl_parse_serverhello_tlsext() code. If a multithreaded client connects to a malicious server using a resumed session, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 4.3 **CVSS Temporal Score:**See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/95159>_ for more information *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
IBM Rational ClearCase versions:
Version
|
Status
—|—
8.0.1 through 8.0.1.5
|
Affected
8.0 through 8.0.0.12
|
Affected
7.1.0.x, 7.1.1.x, 7.1.2.x (all versions)
|
Affected
7.0.x
|
Not affected
Not all deployments of Rational ClearCase use OpenSSL in a way that is affected by these vulnerabilities.
You are vulnerable if your use of Rational ClearCase includes any of these configurations:
You use the base ClearCase/ClearQuest integration client on any platform, configured to use SSL to communicate with a ClearQuest server.
You use the UCM/ClearQuest integration on UNIX/Linux clients, configured to use SSL to communicate with a ClearQuest server.
Note: Windows clients using the UCM/ClearQuest integration are not vulnerable.
You use the Change Management Integrations for base ClearCase with ClearQuest or Rational Team Concert (RTC), or for UCM with ClearQuest or RTC on UNIX/Linux clients, configured to use SSL to communicate with a ClearQuest or RTC server.
Note: Windows clients using the CMI integration are not vulnerable.
You use ratlperl, ccperl, or cqperl to run your own perl scripts, and those scripts use SSL connections.
Apply a fix pack for your appropriate release of ClearCase. These fix packs include OpenSSL 1.0.1i.
Affected Versions
|
** Applying the fix**
—|—
8.0.1.x
| Install Rational ClearCase Fix Pack 6 (8.0.1.6)
8.0.0.x
| Install Rational ClearCase Fix Pack 13 (8.0.0.13)
7.1.2.x
7.1.1.x
7.1.0.x
| Customers with extended support contracts should install Rational ClearCase Fix Pack 16 (7.1.2.16)
Disable the ClearCase/ClearQuest integration and any customized defined use of ratlperl, ccperl, or cqperl with SSL until you apply the fixes listed above.