Lucene search

IBM08F2B25F46139E26C76AC7BBDA1692FC8A5C5903CE1ACF5724F784726EBA1168

HistoryJul 15, 2024 - 1:22 p.m.

Security Bulletin: Multiple vulnerabilities in OpenSSL affects IBM DevOps Code ClearCase

2024-07-1513:22:07

www.ibm.com

ibm

devops

code clearcase

openssl

vulnerabilities

fix packs

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H

AI Score

7.8

Confidence

High

EPSS

0.002

Percentile

61.4%

JSON

Summary

OpenSSL vulnerabilities were disclosed by the OpenSSL Project. OpenSSL is used by IBM DevOps Code ClearCase. [CVE-2023-6237, CVE-2023-6129, CVE-2023-5678, CVE-2024-0727]

Vulnerability Details

CVEID:CVE-2023-6237
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a flaw in the handling of RSA public keys by the EVP_PKEY_public_check() function. By persuading a victim to sue a specially crafted RSA public keys for verification, a remote attacker could exploit this vulnerability to cause long delays, and results in a denial of service condition.
CVSS Base score: 3.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279450 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2023-6129
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a flaw in the POLY1305 MAC (message authentication code) implementation. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/278934 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-5678
**DESCRIPTION:**Openssl is vulnerable to a denial of service, caused by a flaw when using DH_generate_key() function to generate an X9.42 DH key. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/270771 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2024-0727
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by improper input validation. By persuading a victim to open a specially crafted PKCS12 file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 3.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/280532 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Rational ClearCase	10.0.1 through 10.0.1.1
IBM Rational ClearCase	9.1 through 9.1.0.6
IBM DevOps Code ClearCase	11.0.0

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by applying a fix pack as listed in the table below:

Affected Versions

Applying the fix

—|—
9.1 through 9.1.0.6| Install Rational ClearCase Fix Pack 7 (9.1.0.7) for 9.1
10.0.1 through 10.0.1.1| Install Rational ClearCase Fix Pack 2 (10.0.1.2) for 10.0.1
11.0.0| Install Rational ClearCase Fix Pack 1 (11.0.0.1) for 11.0.0

For 9.0.2.x and earlier releases, IBM recommends upgrading to a fixed, supported version/release/platform of the product.

_For 10.0.0.x releases, IBM recommends upgrading to 10.0.1.x release. _

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmrational_clearcaseMatch8.0.0

ibmrational_clearcaseMatch8.0.1

ibmrational_clearcaseMatch9.0.0

ibmrational_clearcaseMatch9.0.1

ibmrational_clearcaseMatch9.0.2

ibmrational_clearcaseMatch9.1

VendorProductVersionCPE
ibmrational_clearcase8.0.0cpe:2.3:a:ibm:rational_clearcase:8.0.0:*:*:*:*:*:*:*
ibmrational_clearcase8.0.1cpe:2.3:a:ibm:rational_clearcase:8.0.1:*:*:*:*:*:*:*
ibmrational_clearcase9.0.0cpe:2.3:a:ibm:rational_clearcase:9.0.0:*:*:*:*:*:*:*
ibmrational_clearcase9.0.1cpe:2.3:a:ibm:rational_clearcase:9.0.1:*:*:*:*:*:*:*
ibmrational_clearcase9.0.2cpe:2.3:a:ibm:rational_clearcase:9.0.2:*:*:*:*:*:*:*
ibmrational_clearcase9.1cpe:2.3:a:ibm:rational_clearcase:9.1:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	rational_clearcase	8.0.0	cpe:2.3:a:ibm:rational_clearcase:8.0.0:::::::*
ibm	rational_clearcase	8.0.1	cpe:2.3:a:ibm:rational_clearcase:8.0.1:::::::*
ibm	rational_clearcase	9.0.0	cpe:2.3:a:ibm:rational_clearcase:9.0.0:::::::*
ibm	rational_clearcase	9.0.1	cpe:2.3:a:ibm:rational_clearcase:9.0.1:::::::*
ibm	rational_clearcase	9.0.2	cpe:2.3:a:ibm:rational_clearcase:9.0.2:::::::*
ibm	rational_clearcase	9.1	cpe:2.3:a:ibm:rational_clearcase:9.1:::::::*