IBM Support

Security Bulletin: Multiple Vulnerabilities in current IBM SDK for Java for IBM Rational ClearQuest Web Client (CVE-2013-5802 and CVE-2013-5825)

Security Bulletin


Summary

IBM Rational ClearQuest Web server is sensitive to vulnerabilities in the IBM JRE supplied with IBM WebSphere Application Server.

Vulnerability Details

 Subscribe to My Notifications to be notified of important product support alerts like this.
  • Follow this link for more information (requires login with your IBM ID)

CVE IDs: CVE-2013-5802 CVE-2013-5825

Description:
Due to Security Bulletin: Multiple vulnerabilities in current releases of the IBM SDK, Java Technology Edition, unspecified vulnerabilities in the IBM Rational ClearQuest Web server could allow an attacker to exploit some JRE vulnerabilities.

ClearQuest Web server runs as a profile on the IBM WebSphere Application Server (WAS) which has issued Security Bulletin: Multiple vulnerabilities in current IBM SDK for Java for WebSphere Application Server October 2013 CPU. When ClearQuest Web server is running on WAS, ClearQuest uses the JRE supplied with WAS.

These vulnerabilities do not affect ClearQuest desktop applications and clients such as the IBM Rational ClearQuest client or IBM Rational ClearQuest for Windows client.

CVEID: CVE-2013-5802
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87982 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/P)

CVEID: CVE-2013-5825
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87988 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/N:A/P)

Affected Products and Versions

Rational ClearQuest Web greater than and inclusive of ClearQuest v7.1.

Remediation/Fixes

ClearCase and ClearQuest 7.1.x releases are shipped with and install and configure WAS version 6.1.0.25. Review technote 1390803: How to update the IBM WebSphere Application Server components in Rational ClearCase and Rational ClearQuest 7.1

ClearQuest 8.x releases have separated the WAS installation from the ClearQuest installation.

Directly follow WebSphere Application Server instructions for updating your version of WAS.

Note: Determine the version of WAS that your deployment is using and follow the instructions at


Security Bulletin: Multiple vulnerabilities in current IBM SDK for Java for WebSphere Application Server October 2013 CPU to update your version of the JRE supplied by WAS. This applies for all versions of ClearQuest Web Server greater than and inclusive of v7.1.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

None

Change History

* 19 December 2013: Original Copy Published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSSH5A","label":"Rational ClearQuest"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Web Server (7.1)","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.1;7.1.0.1;7.1.0.2;7.1.1;7.1.1.1;7.1.1.2;7.1.1.3;7.1.1.4;7.1.1.5;7.1.1.6;7.1.1.7;7.1.1.8;7.1.1.9;7.1.2;7.1.2.1;7.1.2.10;7.1.2.11;7.1.2.12;7.1.2.2;7.1.2.3;7.1.2.4;7.1.2.5;7.1.2.6;7.1.2.7;7.1.2.8;7.1.2.9;8.0;8.0.0.1;8.0.0.2;8.0.0.3;8.0.0.4;8.0.0.5;8.0.0.6;8.0.0.7;8.0.0.8;8.0.0.9;8.0.1;8.0.1.1;8.0.1.2","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
16 June 2018

UID

swg21660502

Page Feedback