Security Bulletin: Potential security vulnerabilities in RQM, RTC and RRC for the Oracle October 2013 CPU

Security Bulletin


Summary

IBM Rational Quality Manager (RQM), IBM Rational Team Concert (RTC) and IBM Rational Requirements Composer (RRC) are shipped with an IBM Java that is based on the Oracle Java. Oracle has released October 2013 critical patch updates (CPU) which contain security vulnerability fixes and the IBM Java is affected.

Vulnerability Details

Subscribe to My Notifications to be notified of important product support alerts like this.
  • Follow this link for more information (requires login with your IBM ID)

CVE ID: CVE-2013-5843

Description: A vulnerability allows remote attackers to affect confidentiality, integrity and availability via unknown vectors relate to 2D.

CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87971 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)


CVE ID: CVE-2013-5809

Description: An issue in the JRE's could allow remote attackers to affect confidentiality, integrity and availability via unknown vectors relate to 2D.

CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87962 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)


CVE ID: CVE-2013-5802

Description: A vulnerability allows remote attackers to affect confidentiality, integrity and availability via vectors relate to JAXP.

CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87982 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/P)


CVE ID: CVE-2013-4002

Description: The Apache Xerces-J XML parser is vulnerable to a denial of service attack, which could cause the XML parser to consume CPU resource for several minutes before the data is eventually rejected.

CVSS Base Score: 7.1
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85260 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C)


CVE ID: CVE-2013-5825

Description: A vulnerability allows remote attackers to affect confidentiality, integrity and availability via vectors relate to JAXP.

CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87988 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/N:A/P)


CVE ID: CVE-2013-5823

Description: A vulnerability allows remote attackers to affect availability via unknown vectors related to Security.

CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87989 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/N:A/P)


CVE ID: CVE-2013-5780

Description: A vulnerability allows remote attackers to affect confidentiality via unknown vectors related to Libraries.

CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88001 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/M:Au/N:C/P:I/N:A/N)


CVE ID: CVE-2013-5803

Description: A vulnerability allows remote attackers to affect availability via vectors related to JGSS.

CVSS Base Score: 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88008 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/H:Au/N:C/N:I/N:A/P)


CVE ID: CVE-2013-5772

Description: A vulnerability allows remote attackers to affect integrity via unknown vectors related to jhat.

CVSS Base Score: 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88007 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/H:Au/N:C/N:I/P:A/N)


CVE ID: CVE-2013-5372 (Non-Oracle. Specific to IBM JRE/SDK)

Description: The XML4J parser vulnerability allows remote attackers to cause a denial of service (memory consumption), triggered by specially crafted XML data.

CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86662 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

Affected Products and Versions

Rational Quality Manager 4.0.5 and earlier
Rational Team Concert 4.0.5 and earlier
Rational Requirements Composer 4.0.5 and earlier

Remediation/Fixes

For RQM, RTC, and RRC versions 4.x, the JRE can be manually applied after upgrading to the latest 4.0.5 release. Contact IBM Support for additional information and access to the JRE.

For the 3.x releases of Rational Quality Manager, Rational Team Concert, Rational Requirements Composer upgrade to CLM 3.0.1.6 iFix 1

Rational Quality Manager 3.0.1.6 iFix 1
Rational Team Concert 3.0.1.6 iFix 1
Rational Requirements Composer 3.0.1.6 iFix 1

For RQM, RTC, and RRC versions 2.x, contact IBM support for additional details on the fix.

In addition, if the application is deployed on WebSphere Application Server (WAS), upgrade to the appropriate fix pack as described in Security Bulletin: Multiple vulnerabilities in current IBM SDK for Java for WebSphere Application Server October 2013 CPU.

Workarounds and Mitigations

None

References

Complete CVSS Guide
On-line Calculator V2
IBM Security Alerts: October 2013
Oracle Critical Patch Update Advisory: October 2013

Related information

Acknowledgement

None

Change History

* 21 November 2013: Original Copy Published
* 6 December 2013: Added fixes
* 17 March 2014: Added fixes for WAS

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


Cross reference information
Segment Product Component Platform Version Edition
Software Development Rational Team Concert General Information AIX, Linux, Solaris, Windows 4.0, 4.0.0.1, 4.0.0.2, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5
Software Development Rational Requirements Composer General Information Windows, Linux 4.0, 4.0.0.1, 4.0.0.2, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5
Software Development Rational Quality Manager General Information AIX, Linux, Solaris, Windows 4.0, 4.0.0.1, 4.0.0.2, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5

Rate this page:

(0 users)Average rating

Document information


More support for:

Rational Collaborative Lifecycle Management
General Information

Software version:

4.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5

Operating system(s):

AIX, Linux, Solaris, Windows

Reference #:

1656459

Modified date:

2014-03-17

Translate my page

Machine Translation

Content navigation