Security Bulletin: Multiple vulnerabilities in Rational Collaborative Lifecycle Management 4.0.1 (CVE-2012-5885, CVE-2012-5886, CVE-2012-5887)

Security Bulletin


Summary

Vulnerabilities have been identified in IBM Rational Team Concert (RTC), IBM Rational Quality Manager (RQM), and IBM Rational Requirements Composer (RRC) versions 4.0 and 4.0.1 and the Rational Collaborative Lifecycle Management Solution (CLM), allowing a remote attacker to bypass access restrictions on the server process.

Vulnerability Details

Subscribe to My Notifications to be notified of important product support alerts like this.
  • Follow this link for more information (requires login with your IBM ID)

CVEID: CVE-2012-5885

Description: Replay-countermeasure functionality in HTTP Digest Access Authentication has a flaw, which makes it easier for attackers to bypass access restrictions.

CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/80408 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)


CVEID: CVE-2012-5886

Description: HTTP Digest Access Authentication implementation could potentially allow an attacker to bypass authentication.

CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/80407 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)


CVEID: CVE-2012-5887

Description: HTTP Digest Access Authentication implementation has a flaw which allows an
attacker to bypass restrictions.

CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79809 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

Affected Products and Versions

CLM 4.0.1 and earlier
RTC 4.0.1 and earlier
RQM 4.0.1 and earlier
RRC 4.0.1 and earlier

Remediation/Fixes

Apply version 4.0.2 or later to resolve the issue.

Downloads are available from https://jazz.net/downloads

Workarounds and Mitigations

Isolate systems from untrusted network traffic by means of firewalls.

Important note

IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

References

Related information

Acknowledgement

None

Change History

21 March 2013: Original Copy Published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


Cross reference information
Segment Product Component Platform Version Edition
Software Development Rational Quality Manager General Information Linux, Windows 4.0, 4.0.0.1, 4.0.0.2, 4.0.1 Standard, Express
Software Development Rational Requirements Composer General Information Windows, Linux 4.0, 4.0.0.1, 4.0.0.2, 4.0.1
Software Development Rational Team Concert General Information Linux, Windows 4.0, 4.0.0.1, 4.0.0.2, 4.0.1 Standard, Express-C, Express, Enterprise

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Rational Collaborative Lifecycle Management
General Information

Software version:

4.0.1

Operating system(s):

AIX, Linux, Windows

Reference #:

1626891

Modified date:

2014-02-17

Translate my page

Machine Translation

Content navigation