Flash (Alert)
Abstract
Questions and answers about the security vulnerability for Rational License Key Server (RLKS) 8.1.3.
Content
Has this vulnerability been disclosed publically?
Yes, the vulnerability was disclosed on August 17, 2011 by Zero Day Initiative.
Is IBM aware of any exploitation?
No.
Is IBM aware of the availability of the exploitation code?
No.
Does IBM have a Mitigation in place?
Yes, fixes and mitigation actions are available, for more information, see the security bulletin.
The CVSS score is 10, how soon do I need to apply the mitigation?
Considering that IBM is not aware of any exploitation that has occurred, and that there is no exploitation code available, the likelihood of an attack is not as high as the CVSS score would indicate. IBM recommends to apply the iFix for RLKS 8.1.3 as soon as practical.
Customers using RLKS 8.0, RCL, 7.x or TL 2.0 should migrate to RLKS 8.1.3 and apply the iFix. It is recommended that the customers who wish to remain with RLKS 8.0, RCL 7.x or TL 2.0, apply the mitigation action described in the mitigation document and migrate to RLKS 8.1.3 as soon as practical.
What does the iFix do?
The iFix only includes a fix for this security issue. It updates lmgrd and the vendor daemon, ibmratl.
Can I back out the iFix if I believe something broke?
Yes, the iFix can be removed with IBM Installation Manager on Windows. On UNIX platforms, uninstall the server (RLKS 8.1.1, 8.1.2) with the iFix and reinstall the original license server. iFix on RLKS 8.1.3 can be removed with IBM Installation Manager on all UNIX platforms.
Why didn't IBM release an iFix for RLKS 8.0, RCL7.x or TL 2.0?
These are very old versions of the license servers and many customers have already upgraded to RLKS 8.1.1, 8.1.2, and 8.1.3 for other reasons. Migrating to RLKS 8.1.3 and applying the iFix provides a complete solution. The RLKS 8.1.3 has significant benefits over RLKS 8.0, RCL 7.x, and TL 2.0, in capability and platform support. It also reduces the cost of ownership by combining RCL and TL license servers.
It is recommended that the customers who wish to remain on the older license servers apply one of the mitigation actions described in the mitigation document.
Rate this page:
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.