Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM065572A59758B465EDC578771849BF96EA5BAF66A915EB35F2D29AA142885725
HistoryJul 10, 2018 - 8:34 a.m.

Security Bulletin: XML entity expansion vulnerabilities in ClearCase (CVE-2014-3090)

2018-07-1008:34:12
www.ibm.com
16

EPSS

0.008

Percentile

81.2%

JSON

Summary

IBM Rational ClearCase is vulnerable to XML entity expansion attacks. These attacks could cause a denial of service.

Vulnerability Details

| Subscribe to My Notifications to be notified of important product support alerts like this.

  • Follow this link for more information (requires login with your IBM ID)
    —|—

CVE ID:CVE-2014-3090

**Description:**IBM Rational ClearCase is vulnerable to XML entity expansion attacks. A malicious server could exhaust process memory on a client. A malicious client could cause denial of service on a server.

The vulnerable components are:

  • CCRC WAN Server / CM Server
  • Perl CC/CQ integration trigger scripts (clients)
  • CMAPI Java interface (clients)
  • ClearCase remote client
  • CMI and OSLC-based ClearQuest integrations (clients)

CVSS Base Score: 5.0 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/94256&gt; for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

IBM Rational ClearCase is vulnerable to a denial of service, caused by the failure to properly detect recursion during entity expansion by the XML parser. A remote attacker could exploit this vulnerability using a specially crafted XML document containing a large number of nested entity references to consume all available memory resources.

Affected Products and Versions

ClearCase version

|

Status

—|—

8.0.1 through 8.0.1.4

|

Affected

8.0 through 8.0.0.11

|

Affected

7.1.2 through 7.1.2.14

|

Affected

7.1.0.x, 7.1.1.x (all versions and fix packs)

|

Affected

7.0.x

|

Not affected

Remediation/Fixes

The solution is to upgrade to a newer fix pack of ClearCase.

Affected Versions

|

** Applying the fix**

—|—

8.0.1.x

| Install Rational ClearCase Fix Pack 4 (8.0.1.5) for 8.0.1

8.0.0.x

| Install Rational ClearCase Fix Pack 11 (8.0.0.12) for 8.0

7.1.2.x

| Install Rational ClearCase Fix Pack 14 (7.1.2.15) for 7.1.2

7.1.1.x
7.1.0.x

| Install Rational ClearCase Fix Pack 14 (7.1.2.15) for 7.1.2

  • Note: 7.1.2.14 inter-operates with all 7.1.1.x systems, and can be installed in the same way as 7.1.1.x fix packs.

Workarounds and Mitigations

Disable the Perl trigger based ClearCase/ClearQuest integration until you apply the fixes to clients. Disable the CMI and OSLC-based CQ integrations until you apply the fixes to clients.

Disable CCRC WAN server until you apply the fixes to servers.

Related

nvd 1
prion 1
cve 1
cvelist 1
nvd
nvd
CVE-2014-3090
2014-09-23 20:55:02
prion
prion
Code injection
2014-09-23 20:55:00
cve
cve
CVE-2014-3090
2014-09-23 20:55:02
cvelist
cvelist
CVE-2014-3090
2014-09-23 20:00:00

EPSS

0.008

Percentile

81.2%

JSON
Related for 065572A59758B465EDC578771849BF96EA5BAF66A915EB35F2D29AA142885725
nvd1prion1cve1cvelist1