Security Bulletin: Security vulnerabilities in Apache Tomcat affect multiple IBM Rational products based on IBM's Jazz technology

Summary

The Jazz Team Server is shipped with/or supports versions of the Apache Tomcat web server which contains a security vulnerabilities that could potentially impact the following IBM Rational products deployed on Apache Tomcat: Collaborative Lifecycle Management (CLM), Rational DOORS Next Generation (RDNG), Rational Engineering Lifecycle Manager (RELM), Rational Team Concert (RTC), Rational Quality Manager (RQM), Rational Rhapsody Design Manager (Rhapsody DM), and Rational Software Architect Design Manager (RSA DM).

Vulnerability Details

CVEID: CVE-2018-1305**
DESCRIPTION:** Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by the failure to properly enforce security constraints that are defined by annotations of Servlets in certain cases. An attacker could exploit this vulnerability to bypass security constraints to access restricted resources.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/139475 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID: CVE-2018-1323**
DESCRIPTION:** Apache Tomcat JK ISAPI Connector could allow a remote attacker to obtain sensitive information, caused by the improper handling of HTTP request paths in jk_isapi_plugin.c. An attacker could exploit this vulnerability using the reverse proxy to expose application resources.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/140213 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2018-1304**
DESCRIPTION:** Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by the failure to properly enforce security constraint definitions that contain a URL pattern of “” (the empty string) that exactly maps to the context root. An attacker could exploit this vulnerability to bypass security constraints to access restricted resources.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/139476 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

Rational Collaborative Lifecycle Management 5.0 - 6.0.5

Rational Quality Manager 5.0 - 5.0.2
Rational Quality Manager 6.0 - 6.0.5

Rational Team Concert 5.0 - 5.0.2
Rational Team Concert 6.0 - 6.0.5

Rational DOORS Next Generation 5.0 - 5.0.2
Rational DOORS Next Generation 6.0 - 6.0.5

Rational Engineering Lifecycle Manager 5.0 - 5.0.2
Rational Engineering Lifecycle Manager 6.0 - 6.0.5

Rational Rhapsody Design Manager 5.0 - 5.0.2
Rational Rhapsody Design Manager 6.0 - 6.0.5

Rational Software Architect Design Manager 5.0 - 5.0.2
Rational Software Architect Design Manager 6.0 - 6.0.1

Remediation/Fixes

Step 1.
Apply the latest ifix to your installed product version:

For the 6.0 - 6.0.5 releases:

Upgrade to version 6.0.5 iFix004 or later versions
* Rational Collaborative Lifecycle Management 6.0.5 iFix004
* Rational Team Concert 6.0.5 iFix004
* Rational Quality Manager 6.0.5 iFix004
* Rational DOORS Next Generation 6.0.5 iFix004
* Rational Software Architect Design Manager:_ Upgrade to version 6.0.4 and install server from CLM 6.0.5 iFix004
* Rational Rhapsody Design Manager: Upgrade to version 6.0.4 and install server from CLM 6.0.5 iFix004
* Rational Engineering Lifecycle Manager: _Upgrade to version 6.0.4 and install server from CLM 6.0.5 iFix004

Or upgrade to version 6.0.2 iFix16 or later versions
* Rational Collaborative Lifecycle Management 6.0.2 iFix16
* Rational Team Concert 6.0.2 iFix16
* Rational Quality Manager 6.0.2 iFix16
* Rational DOORS Next Generation 6.0.2 iFix16
* Rational Software Architect Design Manager:_ Upgrade to version 6.0.2 and install server from CLM 6.0.2 iFix16
* Rational Rhapsody Design Manager: Upgrade to version 6.0.2 and install server from CLM 6.0.2 iFix16
* Rational Engineering Lifecycle Manager: _Upgrade to version 6.0.2 and install server from CLM 6.0.2 iFix16
*
For the 5.x releases, upgrade to version 5.0.2 iFix25 or later versions

• Rational Collaborative Lifecycle Management 5.0.2 iFix25
• Rational Team Concert 5.0.2 iFix25
• Rational Quality Manager 5.0.2 iFix25
• Rational DOORS Next Generation 5.0.2 iFix25
• Rational Software Architect Design Manager:_ _Upgrade to version 5.0.2 and install server from CLM 5.0.2 iFix25
• Rational Rhapsody Design Manager:_ _Upgrade to version 5.0.2 and install server from CLM 5.0.2 iFix25
• Rational Engineering Lifecycle Manager:_ _Upgrade to version 5.0.2 and install server from CLM 5.0.2 iFix25

Step 2:
Upgrade your Apache Tomcat to version 7.0.85 or later. Perform How to update the Apache Tomcat server for IBM Rational products based on versions 3.0.1.6, 4.0.7 or later of IBM’s Jazz technology to apply the remediation.

For any prior versions of the products listed above, IBM recommends upgrading to a fixed, supported version/release/platform of the product.

If the iFix is not found in the Fix Portal please contact IBM Support.

Workarounds and Mitigations

None