Security Bulletin: Vulnerability in Rational Engineering Lifecycle Manager, Rational Software Architect Design Manager and Rhapsody Design Manager (CVE-2014-3037)

Security Bulletin

Summary

IBM Rational Engineering Lifecycle Manager, Rational Software Architect Design Manager and Rational Rhapsody Design Manager are vulnerable to a cross-site request forgery attack.

Vulnerability Details

	Subscribe to My Notifications to be notified of important product support alerts like this. Follow this link for more information (requires login with your IBM ID)

CVE ID: CVE-2014-3037

Description: Rational Engineering Lifecycle Manager, Rational Software Architect Design Manager, and Rhapsody Design Manager use the component IBM Configuration Management Application (VVC), which is vulnerable to cross-site request forgery, caused by improper validation of user-supplied data. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.

CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/93303 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

Affected Products and Versions

Rational Engineering Lifecycle Manager 1.0, 1.0.0.1, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 5.0

Rational Software Architect Design Manager 3.0, 3.0.0.1, 3.0.1, 4.0 - 4.0.6, 5.0

Rational Rhapsody Design Manager 3.0, 3.0.0.1, 3.0.1, 4.0 - 4.0.6, 5.0

Remediation/Fixes

For Rational Engineering Lifecycle Manager:

Upgrade to Rational Engineering Lifecycle Manager 4.0.7

Upgrade to Rational Engineering Lifecycle Manager 5.0.1

For Rational Software Architect Design Manager:

Upgrade to Rational Software Architect Design Manager 4.0.7

Upgrade to Rational Software Architect Design Manager 5.0.1

For Rational Rhapsody Design Manager:

Upgrade to Rational Rhapsody Design Manager 4.0.7

Upgrade to Rational Rhapsody Design Manager 5.0.1

For the 1.x releases of Rational Engineering Lifecycle Manager, the 3.x releases of Rational Software Architect Design Manager and Rhapsody Design Manager, or customers who cannot upgrade to 4.0.7 or 5.0.1, please contact IBM support for guidance.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Off

Acknowledgement

None

Change History

* 5 Sep 2014: Original copy published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Internal Use Only

RSA DM PSIRT# 1743 Record # 37220
Rhapsody DM PSIRT# 1743 Record # 37219

Alternate description: A security vulnerability has been identified in Rational Software Architect Design Manager and Rational Rhapsody Design Manager that allows manipulation of user session and cookies, which might be used by a hacker to view or alter user records, and to perform transactions as that user

[{"Product":{"code":"SSUB2H","label":"IBM Engineering Lifecycle Optimization - Engineering Insights"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General Information","Platform":[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}],"Version":"1.0;1.0.0.1;4.0.3;4.0.4;4.0.5;4.0.6;5.0","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Product":{"code":"SSRMY8","label":"Rational Software Architect Design Manager"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"General Information","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"3.0;3.0.0.1;3.0.1;4.0;4.0.1;4.0.2;4.0.3;4.0.4;4.0.5;4.0.6;5.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}},{"Product":{"code":"SSRNEV","label":"Rational Rhapsody Design Manager"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General Information","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"3.0;3.0.0.1;3.0.1;4.0;4.0.1;4.0.2;4.0.3;4.0.4;4.0.5;4.0.6;5.0","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]

Product Synonym

Rational Engineering Lifecycle Manager

Was this topic helpful?

Document Information

Modified date:
16 June 2018

UID

swg21682120

Tips

Security Bulletin: Vulnerability in Rational Engineering Lifecycle Manager, Rational Software Architect Design Manager and Rhapsody Design Manager (CVE-2014-3037)