The version 4.x release of IBM Rational Quality Manager (RQM), IBM Rational Team Concert (RTC) and IBM Rational Requirements Composer (RRC) are shipped with an IBM Java that is based on the Oracle Java. Oracle has released April 2013 critical patch updates (CPU) which contain security vulnerability fixes and the IBM Java is affected.
CVE ID: CVE-2013-0169
The TLS protocol does not properly consider timing side-channel attacks, which allows remote attackers to conduct distinguishing attacks and plain-text recovery attacks via statistical analysis of timing data for crafted packets, also known as the "Lucky Thirteen" issue.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81902 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
AFFECTED PRODUCTS AND VERSIONS:
Rational Quality Manager 4.0.3 and earlier
Rational Team Concert 4.0.3 and earlier
Rational Requirements Composer 4.0.3 and earlier
The recommended solution is to apply the fix to all previous versions as soon as practical. Please see below for information on the fixes available.
The Rational Quality Manager 4.0.4 release includes an updated IBM Java version which addresses these security issues.
The Rational Team Concert 4.0.4 release includes an updated IBM Java version which addresses these security issues.
The Rational Requirements Composer 4.0.4 release includes an updated IBM Java version which addresses these security issues.
IBM Security Alerts: Oracle April 2013
Oracle Critical Patch Update Advisory – April 2013
Complete CVSS Guide
On-line Calculator V2
X-Force Vulnerability Database
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
6 September 2013: Original Copy Published
|Software Development||Rational Team Concert||General Information||AIX, Linux, Solaris, Windows||4.0, 126.96.36.199, 188.8.131.52, 4.0.1, 4.0.2, 4.0.3|
|Software Development||Rational Requirements Composer||General Information||Windows, Linux||4.0, 184.108.40.206, 220.127.116.11, 4.0.1, 4.0.2, 4.0.3|
|Software Development||Rational Collaborative Lifecycle Management||General Information||AIX, Linux, Solaris, Windows||4.0, 4.0.1, 4.0.2, 4.0.3|