Skip to main content


PK38745: There is a serious security hole in the way Clearquest web works right now.

 

APAR status

  • Closed as program error.

Error description

  • There is a serious security hole in the way Clearquest web works
right now.
Take two machines serverA and serverB. Install Clearquest and cl
earquest web components on both.
On serverA:
In C:\Program Files\Rational\ClearQuest\cqweb\cqserver\config\jt
l.properties, you can have
JTLRMIREGISTRYSERVERS=serverA:1130
In C:\Program Files\Rational\Common\rwp\EmbeddedExpress\profiles
\profile1\installedApps\DefaultNode\RationalClearQuestWeb.ear\CQ
WebModule.war\WEB-INF\classes\jtl.properties, you have
JTLRMIREGISTRYSERVERS=serverA:1130
On serverB:
In C:\Program Files\Rational\ClearQuest\cqweb\cqserver\config\jt
l.properties, you can have
JTLRMIREGISTRYSERVERS=serverA:1130,serverB:1130
In C:\Program Files\Rational\Common\rwp\EmbeddedExpress\profiles
\profile1\installedApps\DefaultNode\RationalClearQuestWeb.ear\CQ
WebModule.war\WEB-INF\classes\jtl.properties, you have
JTLRMIREGISTRYSERVERS=serverA:1130,serverB:1130
On serverA, create one connection called  PRODUCTION that points
 to say a SQL server database server ProdServer. It also has a d
atabase called SAMPL which points to a physical database Prod.
On serverA, create one connection called  PRODUCTION that points
 to say a SQL server database server TESTServer. It also has a u
ser database called SAMPL which points to a physical database TE
ST.
Restart services on both servers serverA and serverB.
You will see that some requests go to serverB. the end user does
n't know that all his submissions/changes in fact are going into
 a test database.

Local fix

  • 



Problem summary


    

  • A security vulnerability exists in ClearQuest Web.

    



Problem conclusion


    

  • A fix is available in ClearQuest version 7.1

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PK38745
    • 

  • Reported component name
    CLRQUEST MSITE
    • 

  • Reported component ID
    5724G3701
    • 

  • Reported release
    700
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2007-02-05
    • 

  • Closed date
    2008-12-01
    • 

  • Last modified date
    2008-12-01
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    CLRQUEST MSITE
    • 

  • Fixed component ID
    5724G3701
    • 



Applicable component levels


    

  • R700  PSN
       UP
    • 








		


		
Copyright and trademark information

		

			
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide.  Other product and service names might be trademarks of IBM or other companies.  A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.

		

		


		

		
Rate this page

		

			
Please take a moment to complete this form to help us better serve you.

		

		
		

		
		
		
		
		
		
		

		

			
This material provides me with the information I need.

		

		

		

			 

			 

			 

			 

			 

		

		

		

  		
		

		

			
This material is clear and easy to understand.

		

		

		

			 

			 

			 

			 

			 

		

		

		

  		

		

		

			
Did the information help you to achieve your goal?

		

		

		

			
			
			
		

		

		


		

		

			
What updates, improvements, or related information would you like to see in this document?

		

		

			

		

		


		

			
Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.

		

		

			
Input the verification number to submit feedback:

		

		

			


		

		

		

			

		

		

		


		

		
		





Close [x]









   



Maintenance Window
 








     

  • The IBM Technical support pages, including the Downloads and Drivers Finders will be temporarily unavailable for up to 4 hours due to planned maintenance. This will take place between Saturday November 14, 2009 9:00 PM ET and Sunday, November 15, 2009 7:00 AM ET. During the maintenance, you will not be able to search or download from these pages.
    • 






   
















Close [x]









   



Unscheduled Maintenance Window









There is no unscheduled maintenance scheduled at this time.





   










		

			


			

				





		

		
		


		
Document information

		

			
Product categories:

		
		
Software
Software Development
Change, Configuration, & Release Management
Rational ClearQuest MultiSite

		
		

		
			
Software version:

			
700

			

		

		

		
			
Reference #:

			

		PK38745
			

			

		

			
IBM Group:

			
Software Group

			

			
Modified date:

			
2008-12-01

		

		


		
Translate my page

		

			

			

			
			

			
			
			
			

		

		


		
Rate this page

		

			
		

		


		

		
			
Availability Notices