IBM Support

PK38745: There is a serious security hole in the way Clearquest web works right now.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • There is a serious security hole in the way Clearquest web works
right now.
Take two machines serverA and serverB. Install Clearquest and cl
earquest web components on both.
On serverA:
In C:\Program Files\Rational\ClearQuest\cqweb\cqserver\config\jt
l.properties, you can have
JTLRMIREGISTRYSERVERS=serverA:1130
In C:\Program Files\Rational\Common\rwp\EmbeddedExpress\profiles
\profile1\installedApps\DefaultNode\RationalClearQuestWeb.ear\CQ
WebModule.war\WEB-INF\classes\jtl.properties, you have
JTLRMIREGISTRYSERVERS=serverA:1130
On serverB:
In C:\Program Files\Rational\ClearQuest\cqweb\cqserver\config\jt
l.properties, you can have
JTLRMIREGISTRYSERVERS=serverA:1130,serverB:1130
In C:\Program Files\Rational\Common\rwp\EmbeddedExpress\profiles
\profile1\installedApps\DefaultNode\RationalClearQuestWeb.ear\CQ
WebModule.war\WEB-INF\classes\jtl.properties, you have
JTLRMIREGISTRYSERVERS=serverA:1130,serverB:1130
On serverA, create one connection called  PRODUCTION that points
 to say a SQL server database server ProdServer. It also has a d
atabase called SAMPL which points to a physical database Prod.
On serverA, create one connection called  PRODUCTION that points
 to say a SQL server database server TESTServer. It also has a u
ser database called SAMPL which points to a physical database TE
ST.
Restart services on both servers serverA and serverB.
You will see that some requests go to serverB. the end user does
n't know that all his submissions/changes in fact are going into
 a test database.

Local fix

  • 



Problem summary


    

  • A security vulnerability exists in ClearQuest Web.

    



Problem conclusion


    

  • A fix is available in ClearQuest version 7.1

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PK38745
    • 

  • Reported component name
    CLRQUEST MSITE
    • 

  • Reported component ID
    5724G3701
    • 

  • Reported release
    700
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2007-02-05
    • 

  • Closed date
    2008-12-01
    • 

  • Last modified date
    2008-12-01
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    CLRQUEST MSITE
    • 

  • Fixed component ID
    5724G3701
    • 



Applicable component levels


    

  • R700  PSN
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSUTY2","label":"Rational ClearQuest MultiSite"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            01 December 2008
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback