IBM Rational ClearCase is vulnerable to XML entity expansion attacks. These attacks could cause a denial of service.
| Subscribe to My Notifications to be notified of important product support alerts like this.
CVE ID:CVE-2014-3090
**Description:**IBM Rational ClearCase is vulnerable to XML entity expansion attacks. A malicious server could exhaust process memory on a client. A malicious client could cause denial of service on a server.
The vulnerable components are:
CVSS Base Score: 5.0 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/94256> for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
IBM Rational ClearCase is vulnerable to a denial of service, caused by the failure to properly detect recursion during entity expansion by the XML parser. A remote attacker could exploit this vulnerability using a specially crafted XML document containing a large number of nested entity references to consume all available memory resources.
ClearCase version
|
Status
—|—
8.0.1 through 8.0.1.4
|
Affected
8.0 through 8.0.0.11
|
Affected
7.1.2 through 7.1.2.14
|
Affected
7.1.0.x, 7.1.1.x (all versions and fix packs)
|
Affected
7.0.x
|
Not affected
The solution is to upgrade to a newer fix pack of ClearCase.
Affected Versions
|
** Applying the fix**
—|—
8.0.1.x
| Install Rational ClearCase Fix Pack 4 (8.0.1.5) for 8.0.1
8.0.0.x
| Install Rational ClearCase Fix Pack 11 (8.0.0.12) for 8.0
7.1.2.x
| Install Rational ClearCase Fix Pack 14 (7.1.2.15) for 7.1.2
7.1.1.x
7.1.0.x
| Install Rational ClearCase Fix Pack 14 (7.1.2.15) for 7.1.2
Disable the Perl trigger based ClearCase/ClearQuest integration until you apply the fixes to clients. Disable the CMI and OSLC-based CQ integrations until you apply the fixes to clients.
Disable CCRC WAN server until you apply the fixes to servers.