Security Bulletin
Summary
Transport Layer Security (TLS) padding vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) like attack affects IBM Rational ClearQuest.
Vulnerability Details
CVE-ID: CVE-2014-8730
Description: IBM Rational ClearQuest could allow a remote attacker to obtain sensitive information, caused by the failure to check the contents of the padding bytes when using CBC cipher suites of some TLS implementations. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) like attack to decrypt sensitive information and calculate the plaintext of secure connections.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99216 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Affected Products and Versions
The vulnerable components are used by ClearQuest Web server when supporting SSL connections with IBM HTTP Server, and any ClearQuest deployments using LDAP authentication configured to use SSL connections.
ClearQuest | Status |
8.0.1.x | Affected |
8.0.0.x | Affected |
7.1.2.x | Affected |
7.1.1.x | Affected |
7.1.0.x | Affected |
Remediation/Fixes
Server fixes (for ClearQuest Web that uses IBM HTTP Server):
You should modify your IBM HTTP Server (IHS) configuration if you use SSL on ClearQuest Web server. Follow the remediation instructions in IHS bulletin 1692502.
If you need to install a fixpack or interim fix for IHS to mitigate the vulnerability, follow the guidance in this table:
Affected ClearQuest Versions | Applying an IHS Fix |
8.0.0.x, 8.0.1.x | Install the IHS fixes, following the instructions from the IHS security bulletin. |
7.1.0.x 7.1.1.x 7.1.2.x | Document 1390803 explains how to update IHS for ClearQuest Web Servers at release 7.1.x. Consult those instructions when applying the fix.
Install the IHS fixes listed in the IHS security bulletin referenced above. |
For ClearQuest deployments using secure LDAP authentication
If your ClearQuest deployment is configured to use LDAP authentication and it uses SSL for LDAP connections, then you are vulnerable to this issue through LDAP and should install the following patches.
Affected Versions | Applying the fix |
8.0.1.x | Install Rational ClearQuest Fix Pack 7 (8.0.1.7) |
8.0.0.x | Install Rational ClearQuest Fix Pack 14 (8.0.0.14) |
7.1.2.x 7.1.1.x 7.1.0.x | Customers with extended support contracts should install Rational ClearQuest Fix Pack 17 (7.1.2.17) |
You should verify applying this configuration change does not cause any compatibility issues.
Get Notified about Future Security Bulletins
References
Change History
* 22 December 2014: Original copy published
* 22 January 2015: Revised to include IBM HTTPServer fixes
* 7 April 2015: Revised to reference latest fix packs
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
29 September 2018
UID
swg21693290