Security Bulletin: Security vulnerability in IBM Jazz Team Server affects multiple IBM Rational products based on IBM Jazz technology (CVE-2014-2421, CVE-2013-6954, CVE-2013-6629, CVE-2014-0411, CVE-2014-0416)

Security Bulletin


Summary

Security vulnerabilities have been identified in the IBM Jazz Team Server affecting the following IBM Jazz Team Server based Applications: Collaborative Lifecycle Management (CLM), Rational Requirements Composer (RRC), Rational DOORS Next Generation (RDNG), Rational Engineering Lifecycle Manager (RELM), Rational Team Concert (RTC), Rational Quality Manager (RQM), Rational Rhapsody Design Manager (Rhapsody DM), and Rational Software Architect (RSA DM).

Vulnerability Details

Subscribe to My Notifications to be notified of important product support alerts like this.
  • Follow this link for more information (requires login with your IBM ID)

IBM Jazz Team Server applications are shipped with an IBM SDK for Java that is based on the Oracle JDK. Oracle has released January and April 2014 critical patch updates (CPU) which contain security vulnerability fixes. The IBM SDK for Java has been updated to incorporate these fixes.

IBM Jazz Team Server may be deployed on either IBM WebSphere Application Server (WAS) or Apache Tomcat. The remediation instructions are dependent on whether your deployment uses WAS or Tomcat.

IBM Jazz Team Server and the CLM applications (RRC, RTC, RQM, RDNG), RELM, Rhapsody DM, and RSA DM applications are affected by the following vulnerabilities disclosed in and corrected by the JRE January and April 2014 critical patch updates:

April 2014 CPU vulnerabilities:

CVEID: CVE-2014-2421

Description: An unspecified vulnerability related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact.

CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92462 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


CVEID: CVE-2013-6954

Description: A remote attacker could exploit this vulnerability using specially crafted PNG image data to cause the application to crash.

CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/89917 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)


CVEID: CVE-2013-6629

Description: An attacker could exploit this vulnerability using specially crafted JPEG image data to read uninitialized memory and obtain sensitive information.

CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88783 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)


January 2014 vulnerabilities:

CVEID: CVE-2014-0411

Description: An unspecified vulnerability in Java JRE allows remote attackers to affect confidentiality and integrity via vectors related to JSSE.

CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90357 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)


CVEID: CVE-2014-0416

Description: An unspecified vulnerability in Java JRE allows remote attackers to affect integrity via vectors related to JAAS.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90349 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

Affected Products and Versions

Rational Quality Manager 2.0 - 2.0.1 (All Editions)
Rational Quality Manager 3.0 - 3.0.1.6 iFix2
Rational Quality Manager 4.0 - 4.0.6
Rational Quality Manager 5.0

Rational Team Concert 2.0 - 2.0.0.2
Rational Team Concert 3.0 - 3.0.6 iFix2
Rational Team Concert 4.0 - 4.0.6
Rational Team Concert 5.0

Rational Requirements Composer 2.0 - 2.0.0.4 (All Editions)
Rational Requirements Composer 3.0 - 3.0.1.6 iFix 2
Rational Requirements Composer 4.0 - 4.0.6

Rational DOORS Next Generation 4.0 - 4.0.6
Rational DOORS Next Generation 5.0

Rational Engineering Lifecycle Manager 1.0-1.0.0.1
Rational Engineering Lifecycle Manager 4.0.3-4.0.6

Rational Rhapsody Design Manager 3.0-3.0.1
Rational Rhapsody Design Manager 4.0-4.0.6
Rational Rhapsody Design Manager 5.0

Rational Software Architect Design Manager 3.0-3.0.1
Rational Software Architect Design Manager 4.0-4.0.6
Rational Software Architect Design Manager 5.0

Remediation/Fixes

If your product is deployed on WebSphere Application Server (WAS) and your deployment does not use an Eclipse based client nor the RM Browser plugin, then it is sufficient to continue using the existing version of the your Rational product, and only upgrade the JRE in the WAS server according to these instructions:
IBM Security Bulletin: Multiple vulnerabilities in current IBM SDK for Java for WebSphere Application Server April 2014 CPU.

Otherwise:
Upgrade your products to version 4.0.6 or 5.0, and then perform the following upgrades:

How to update the IBM SDK for Java of IBM Rational products based on version 4.0.6 and 5.0 of IBM's Jazz technology

OR:
Note: for any of the below remediations, if you are a WAS deployment, then WAS must also be upgraded, in addition to performing your product upgrades.

Workarounds and Mitigations

The version 5.0 Rational products contain the fixes for the January 2014 CPU vulnerabilities, but not the April 2014 CPU vulnerabilities.
To obtain the April 2014 CPU fixes in version 5.0, you must also upgrade the IBM SDK for Java as referenced above.

Important note

IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

References

Related information

Acknowledgement

None

Change History

* 10 Sep 2014: Added Note about need to upgrade WAS in addition to product upgrades
* 15 July 2014: Added links to 4.0.7 and 3.0.1.6 iFix3 releases
* 17 June 2014: Corrected date typo. Changed WAS link to be more direct
* 16 June 2014: Original copy published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


Cross reference information
Segment Product Component Platform Version Edition
Software Development Rational Team Concert Team Server AIX, i5/OS, IBM i, Linux, Solaris, Windows, z/OS, Mac OS X 2.0, 2.0.0.1, 2.0.0.2, 3.0, 3.0.1, 3.0.1.1, 3.0.1.2, 3.0.1.3, 3.0.1.4, 3.0.1.5, 3.0.1.6, 4.0, 4.0.0.1, 4.0.0.2, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 5.0
Software Development Rational Quality Manager Team Server AIX, Linux, Solaris, Windows, z/OS 2.0, 2.0.0.1, 2.0.0.2, 2.0.1, 2.0.1.1, 3.0.1, 3.0.1.1, 3.0.1.2, 3.0.1.3, 3.0.1.4, 3.0.1.5, 3.0.1.6, 4.0, 4.0.0.1, 4.0.0.2, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 5.0
Software Development Rational Requirements Composer Team Server Windows, Linux, z/OS 2.0, 2.0.0.1, 2.0.0.2, 2.0.0.3, 2.0.0.4, 3.0.1, 3.0.1.1, 3.0.1.2, 3.0.1.3, 3.0.1.4, 3.0.1.5, 3.0.1.6, 4.0, 4.0.0.1, 4.0.0.2, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6 All Editions
Software Development Rational DOORS Next Generation General information Linux, Windows 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 5.0
Software Development Rational Engineering Lifecycle Manager General Information Windows, Linux 4.0.3, 4.0.4, 4.0.5, 4.0.6, 5.0 All Editions
Software Development Rational Rhapsody Design Manager General Information Linux, Windows 3.0, 3.0.0.1, 3.0.1, 4.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 5.0
Software Development Rational Software Architect Design Manager General Information AIX, Linux, Solaris, Windows 3.0, 3.0.0.1, 3.0.1, 4.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 5.0 All Editions

Rate this page:

(0 users)Average rating

Document information


More support for:

Rational Collaborative Lifecycle Management
General Information

Software version:

3.0.1, 3.0.1.6, 4.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 5.0

Operating system(s):

AIX, Linux, Mac OS, Solaris, Windows, z/OS

Reference #:

1675956

Modified date:

2014-09-10

Translate my page

Machine Translation

Content navigation