PK75832: UCM-CQ ON LINUX/AIX: USER LOGIN CREDENTIALS IN PLAIN-TEXT BY PS -EF COMMAND

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • UCM-CQ on Linux/AIX: user login credentials in plain-text by ps
    -ef command
    
    Was Reproduced in house, on 7.0.1.2.  Note the customer is on 7.
    0.1.1 iFix02
    Steps to Repro'
    
    1. So I brought up xclearcase on AIX
    2. During a 'checkout' I selected the 'new' button to create a n
    ew UCM baseActivity record.
    3. At that point I saw the following process running (it shows t
    he database username and password in cleartext).
    4.The customer reproduced this with -cmd find (probably trying t
    o search for all activities or something like that).. so I'm sur
    e there are more cases that just submit where we are passing thi
    s data.  Did this on both AIX and Linux.
    
    The in house repro output is:
    
    judyh 22598 27544  90 17:29:21  pts/2 0:01 /opt/rational/clearqu
    est/aix4_power/bin/../../../common/java/jre/bin/java -cp /opt/ra
    tional/clearquest/rcp/plugins/com.ibm.rational.clearquest.ucm.rc
    p_7.0.0/ucmrcp.jar com.ibm.rational.clearquest.ucm.cmdline.UCMCm
    dLine -cmd submit -m 7.0.0 -d judy -u judy -p cag -rec BaseCMAct
    ivity -return_id /tmp/tmp28807
    

Local fix

Problem summary

  • A security vulnerability exists in ClearCase version 7.
    

Problem conclusion

  • A fix is available in ClearCase versions 7.0.0.5, 7.0.1.4,
    and 7.1.0.1.
    

Temporary fix

Comments

APAR Information

  • APAR number

    PK75832

  • Reported component name

    CLEARCASE UNIX

  • Reported component ID

    5724G2901

  • Reported release

    60L

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2008-11-17

  • Closed date

    2009-04-08

  • Last modified date

    2009-04-08

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    CLEARCASE UNIX

  • Fixed component ID

    5724G2901

Applicable component levels

  • R60L PSN

       UP



Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Rational ClearCase

Software version:

6.0.L

Reference #:

PK75832

Modified date:

2009-04-08

Translate my page

Machine Translation

Content navigation