Lucene search

IBMF5382A7DA6BE298A4C193771C70F9DBBC9306014F9A4E93D9EFF4170137A9CC6

HistoryOct 03, 2023 - 2:05 p.m.

Security Bulletin: Multiple vulnerabilities in the IBM Java Runtime affects IBM Rational ClearCase.

2023-10-0314:05:49

www.ibm.com

ibm java runtime

vulnerabilities

ibm rational clearcase

cve-2023-33850

cve-2023-32342

cve-2023-21930

cve-2023-21967

security bulletin

remediation

websphere application server

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.002

Percentile

61.8%

JSON

Summary

There are vulnerabilities in the IBM® Runtime Environment Java™ Versions 7 and 8, which is used by IBM Rational ClearCase. CVE-2023-33850, CVE-2023-32342, CVE-2023-21930, CVE-2023-21967

Vulnerability Details

CVEID:CVE-2023-33850
**DESCRIPTION:**IBM GSKit-Crypto could allow a remote attacker to obtain sensitive information, caused by a timing-based side channel in the RSA Decryption implementation. By sending an overly large number of trial messages for decryption, an attacker could exploit this vulnerability to obtain sensitive information. IBM X-Force ID: 257132.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257132 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2023-32342
**DESCRIPTION:**IBM GSKit could allow a remote attacker to obtain sensitive information, caused by a timing-based side channel in the RSA Decryption implementation. By sending an overly large number of trial messages for decryption, an attacker could exploit this vulnerability to obtain sensitive information. IBM X-Force ID: 255828.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/255828 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2023-21930
**DESCRIPTION:**An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the JSSE component could allow an unauthenticated attacker to cause high confidentiality impact and high integrity impact.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253115 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

CVEID:CVE-2023-21967
**DESCRIPTION:**An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the JSSE component could allow a remote attacker to cause high availability impact.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253156 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Rational ClearCase	9.0.2

Remediation/Fixes

The solution is to install a fix that includes an updated Java™ Virtual Machine with fixes for the issues, and to apply fixes for WebSphere Application Server (WAS).

Client and server fixes

Apply the relevant fixes as listed in the table below.

Affected Versions

Applying the fix

—|—

9.0.2 through 9.0.2.7

| Install Rational ClearCase Fix Pack 8 (9.0.2.8) for 9.0.2

For 9.0.2.x and earlier releases, IBM recommends upgrading to a fixed, supported version/release/platform of the product.

For 10.0.0.x releases, IBM recommends upgrading to 10.0.1.x release.

Notes:

If you use CCRC as an extension offering installed into an Eclipse shell (one not provided as part of a ClearCase release), or you use rcleartool or CMAPI using a Java™ Virtual Machine not supplied by IBM as part of Rational ClearCase, you should update the Java™ Virtual Machine that you use to include a fix for the above issues. Contact the supplier of your Java™ Virtual Machine and/or the supplier of your Eclipse shell.

CCRC WAN server fixes

Affected Versions

Applying the fix

—|—

9.0.2.x

| Apply the appropriate WebSphere Application Server fix directly to your CCRC WAN server host. No ClearCase-specific steps are necessary.

Determine the WAS version used by your CCRC WAN server. Navigate to the CCRC profile directory (either the profile you specified when installing ClearCase, or <ccase-home>/common/ccrcprofile), then execute the script: bin/versionInfo.sh (UNIX) or bin\versionInfo.bat (Windows). The output includes a section “IBM WebSphere Application Server”. Make note of the version listed in this section.
Review the following WAS security bulletin:
Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to the October 2022 CPU
Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect WebSphere Application Server October 2021 CPU
and apply the latest available fix for the version of WAS used for CCRC WAN server.

**Note:**there may be newer security fixes for WebSphere Application Server. Follow the link below (in the section "

Affected configurations

Vulners

Node

ibmrational_clearcaseMatch9.0.0

ibmrational_clearcaseMatch9.0.1

ibmrational_clearcaseMatch9.0.2

VendorProductVersionCPE
ibmrational_clearcase9.0.0cpe:2.3:a:ibm:rational_clearcase:9.0.0:*:*:*:*:*:*:*
ibmrational_clearcase9.0.1cpe:2.3:a:ibm:rational_clearcase:9.0.1:*:*:*:*:*:*:*
ibmrational_clearcase9.0.2cpe:2.3:a:ibm:rational_clearcase:9.0.2:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	rational_clearcase	9.0.0	cpe:2.3:a:ibm:rational_clearcase:9.0.0:::::::*
ibm	rational_clearcase	9.0.1	cpe:2.3:a:ibm:rational_clearcase:9.0.1:::::::*
ibm	rational_clearcase	9.0.2	cpe:2.3:a:ibm:rational_clearcase:9.0.2:::::::*