APAR status
Closed as program error.
Error description
There is a serious security hole in the way Clearquest web works right now. Take two machines serverA and serverB. Install Clearquest and cl earquest web components on both. On serverA: In C:\Program Files\Rational\ClearQuest\cqweb\cqserver\config\jt l.properties, you can have JTLRMIREGISTRYSERVERS=serverA:1130 In C:\Program Files\Rational\Common\rwp\EmbeddedExpress\profiles \profile1\installedApps\DefaultNode\RationalClearQuestWeb.ear\CQ WebModule.war\WEB-INF\classes\jtl.properties, you have JTLRMIREGISTRYSERVERS=serverA:1130 On serverB: In C:\Program Files\Rational\ClearQuest\cqweb\cqserver\config\jt l.properties, you can have JTLRMIREGISTRYSERVERS=serverA:1130,serverB:1130 In C:\Program Files\Rational\Common\rwp\EmbeddedExpress\profiles \profile1\installedApps\DefaultNode\RationalClearQuestWeb.ear\CQ WebModule.war\WEB-INF\classes\jtl.properties, you have JTLRMIREGISTRYSERVERS=serverA:1130,serverB:1130 On serverA, create one connection called PRODUCTION that points to say a SQL server database server ProdServer. It also has a d atabase called SAMPL which points to a physical database Prod. On serverA, create one connection called PRODUCTION that points to say a SQL server database server TESTServer. It also has a u ser database called SAMPL which points to a physical database TE ST. Restart services on both servers serverA and serverB. You will see that some requests go to serverB. the end user does n't know that all his submissions/changes in fact are going into a test database.
Local fix
Problem summary
A security vulnerability exists in ClearQuest Web.
Problem conclusion
A fix is available in ClearQuest version 7.1
Temporary fix
Comments
APAR Information
APAR number
PK38745
Reported component name
CLRQUEST MSITE
Reported component ID
5724G3701
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2007-02-05
Closed date
2008-12-01
Last modified date
2008-12-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
CLRQUEST MSITE
Fixed component ID
5724G3701
Applicable component levels
R700 PSN
UP
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSUTY2","label":"Rational ClearQuest MultiSite"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
01 December 2008