Security Bulletin
Summary
Security vulnerabilities have been identified in the IBM Jazz Team Server affecting the following IBM Jazz Team Server based Applications: Collaborative Lifecycle Management (CLM), Rational Requirements Composer (RRC), Rational DOORS Next Generation (RDNG), Rational Engineering Lifecycle Manager (RELM), Rational Team Concert (RTC), Rational Quality Manager (RQM), Rational Rhapsody Design Manager (Rhapsody DM), and Rational Software Architect (RSA DM).
Vulnerability Details
Subscribe to My Notifications to be notified of important product support alerts like this.
|
IBM Jazz Team Server applications are shipped with an IBM SDK for Java that is based on the Oracle JDK. Oracle has released January and April 2014 critical patch updates (CPU) which contain security vulnerability fixes. The IBM SDK for Java has been updated to incorporate these fixes.
IBM Jazz Team Server may be deployed on either IBM WebSphere Application Server (WAS) or Apache Tomcat. The remediation instructions are dependent on whether your deployment uses WAS or Tomcat.
IBM Jazz Team Server and the CLM applications (RRC, RTC, RQM, RDNG), RELM, Rhapsody DM, and RSA DM applications are affected by the following vulnerabilities disclosed in and corrected by the JRE January and April 2014 critical patch updates:
April 2014 CPU vulnerabilities:
CVEID: CVE-2014-2421
Description: An unspecified vulnerability related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/92462 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2013-6954
Description: A remote attacker could exploit this vulnerability using specially crafted PNG image data to cause the application to crash.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/89917 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2013-6629
Description: An attacker could exploit this vulnerability using specially crafted JPEG image data to read uninitialized memory and obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/88783 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
January 2014 vulnerabilities:
CVEID: CVE-2014-0411
Description: An unspecified vulnerability in Java JRE allows remote attackers to affect confidentiality and integrity via vectors related to JSSE.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90357 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
CVEID: CVE-2014-0416
Description: An unspecified vulnerability in Java JRE allows remote attackers to affect integrity via vectors related to JAAS.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90349 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Affected Products and Versions
Rational Quality Manager 2.0 - 2.0.1 (All Editions)
Rational Quality Manager 3.0 - 3.0.1.6 iFix2
Rational Quality Manager 4.0 - 4.0.6
Rational Quality Manager 5.0
Rational Team Concert 2.0 - 2.0.0.2
Rational Team Concert 3.0 - 3.0.6 iFix2
Rational Team Concert 4.0 - 4.0.6
Rational Team Concert 5.0
Rational Requirements Composer 2.0 - 2.0.0.4 (All Editions)
Rational Requirements Composer 3.0 - 3.0.1.6 iFix 2
Rational Requirements Composer 4.0 - 4.0.6
Rational DOORS Next Generation 4.0 - 4.0.6
Rational DOORS Next Generation 5.0
Rational Engineering Lifecycle Manager 1.0-1.0.0.1
Rational Engineering Lifecycle Manager 4.0.3-4.0.6
Rational Rhapsody Design Manager 3.0-3.0.1
Rational Rhapsody Design Manager 4.0-4.0.6
Rational Rhapsody Design Manager 5.0
Rational Software Architect Design Manager 3.0-3.0.1
Rational Software Architect Design Manager 4.0-4.0.6
Rational Software Architect Design Manager 5.0
Remediation/Fixes
If your product is deployed on WebSphere Application Server (WAS) and your deployment does not use an Eclipse based client nor the RM Browser plugin, then it is sufficient to continue using the existing version of the your Rational product, and only upgrade the JRE in the WAS server according to these instructions:
IBM Security Bulletin: Multiple vulnerabilities in current IBM SDK for Java for WebSphere Application Server April 2014 CPU.
Otherwise:
Upgrade your products to version 4.0.6 or 5.0, and then perform the following upgrades:
How to update the IBM SDK for Java of IBM Rational products based on version 4.0.6 and 5.0 of IBM's Jazz technology
OR:
Note: for any of the below remediations, if you are a WAS deployment, then WAS must also be upgraded, in addition to performing your product upgrades.
- For the 5.0 release, perform the above remediation or a fix is available by upgrading to the CLM 5.0.1 or later releases
- Rational Quality Manager 5.0.1
- Rational Team Concert 5.0.1
- Rational Requirements Composer is now called Rational DOORS Next Generation 5.0.1
- Rational DOORS Next Generation 5.0.1
- Rational Software Architect Design Manager 5.0.1
- Rational Rhapsody Design Manager 5.0.1
- Rational Engineering Lifecycle Manager 5.0.1
- For the 4.x releases, upgrade to 4.0.7
- Rational Quality Manager 4.0.7
- Rational Team Concert 4.0.7
- Rational Requirements Composer 4.0.7
- Rational Software Architect Design Manager 4.0.7
- Rational Rhapsody Design Manager 4.0.7
- Rational DOORS Next Generation 4.0.7
- Rational Engineering Lifecycle Manager 4.0.7
- For the 3.x releases upgrade to version 3.0.1.6 iFix 3
- Rational Quality Manager 3.0.1.6 iFix 3
- Rational Team Concert 3.0.1.6 iFix 3
- Rational Requirements Composer 3.0.1.6 iFix 3
- For the 2.x releases, contact IBM support for additional details on the fix.
- For the 1.x releases of Rational Engineering Lifecycle Manager, contact IBM support for additional details on the fix.
Workarounds and Mitigations
The version 5.0 Rational products contain the fixes for the January 2014 CPU vulnerabilities, but not the April 2014 CPU vulnerabilities.
To obtain the April 2014 CPU fixes in version 5.0, you must also upgrade the IBM SDK for Java as referenced above.
Get Notified about Future Security Bulletins
Important Note
IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.
References
Acknowledgement
None
Change History
* 24 Nov 2014: Added links to 5.0.1 versions
* 10 Sep 2014: Added Note about need to upgrade WAS in addition to product upgrades
* 15 July 2014: Added links to 4.0.7 and 3.0.1.6 iFix3 releases
* 17 June 2014: Corrected date typo. Changed WAS link to be more direct
* 16 June 2014: Original copy published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Internal Use Only
Any customers calling from version 1.x, or 2.x of the products should be encouraged to upgrade to currently maintained versions. Development does not have a ready-to-give solution for these no longer maintained versions.
Product Synonym
Rational DOORS Next Generation;Rational Team Concert;Rational Quality Manager;Rational Engineering Lifecycle Manager;Rational Collaborative Lifecycle Management Solution
Was this topic helpful?
Document Information
Modified date:
28 April 2021
UID
swg21675956