Security Bulletin: Potential security vulnerabilities in Rational Requirements Composer 4.x (CVE-2013-3036, CVE-2013-3037, CVE-2013-3038, CVE-2013-3039)

Flash (Alert)


Abstract

Customers should upgrade to Rational Requirements Composer V4.0.4 to receive fixes for several unspecified security issues.

Content

VULNERABILITY DETAILS

CVE ID: CVE-2013-3036

DESCRIPTION:
An unspecified vulnerability in Rational Requirements Composer could allow a remote attacker to provide an manipulated URL that could cause legitimate users to fall victim to phishing attacks by redirecting the user to a seemingly legitimate web site.

CVSS Base Score: 4.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84688 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)


CVE ID: CVE-2013-3037

DESCRIPTION:
An unspecified vulnerability in Rational Requirements Composer makes the execution of malicious or unintended code easier.

CVSS Base Score: 4.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84689 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)


CVE ID: CVE-2013-3038

DESCRIPTION:
An unspecified vulnerability in Rational Requirements Composer makes it susceptible to unauthorized interception and/or retrieval of authentication credentials,

CVSS Base Score: 5.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84708 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:A/AC:M/Au:N/C:P/I:P/A:P)


CVE ID: CVE-2013-3039

DESCRIPTION:
An unspecified vulnerability in Rational Requirements Composer could insecurely perform authentication.

CVSS Base Score: 5.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84709 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:A/AC:N/Au:N/C:P/I:P/A:P)


AFFECTED PRODUCTS AND VERSIONS:
Rational Requirements Composer 4.0.3 and earlier.

REMEDIATION:
The recommended solution is to apply the fix to all previous versions as soon as practical. Please see below for information on the fixes available.

Fix:
The Rational Requirements Composer Manager 4.0.4 release includes updates which addresses these security issues.

Workaround(s):
None.

Mitigation(s):
None.

REFERENCES:
Complete CVSS Guide
On-line Calculator V2
CVE-2013-3036
http://xforce.iss.net/xforce/xfdb/84688
CVE-2013-3037
http://xforce.iss.net/xforce/xfdb/84689
CVE-2013-3038
http://xforce.iss.net/xforce/xfdb/84708
CVE-2013-3039
http://xforce.iss.net/xforce/xfdb/84709


RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

ACKNOWLEDGEMENT:
None

CHANGE HISTORY:
6 September 2013: Original copy published
12 September 2013: Vector updates

*The CVSS Environment Score is customer environment specific and will ultimately impact
the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their
environments by accessing the links in the Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to
convey vulnerability severity and help to determine urgency and priority of response." IBM
PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND,
INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


Product Alias/Synonym

RRC
RM

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Rational Requirements Composer
General Information

Software version:

4.0.4

Operating system(s):

Linux, Windows

Software edition:

All Editions

Reference #:

1645927

Modified date:

2013-09-15

Translate my page

Machine Translation

Content navigation