There are multiple vulnerabilities in IBM® Runtime Environment Java™ Versions 7 and 8, which are used by IBM Rational ClearCase. These issues were disclosed as part of the IBM Java SDK updates in March 2019.
CVEID: CVE-2018-1890 DESCRIPTION: IBM SDK, Java Technology Edition Version 8 on the AIX platform uses absolute RPATHs which may facilitate code injection and privilege elevation by local users.
CVSS Base Score: 5.6
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152081> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L)
CVEID: CVE-2018-12547 DESCRIPTION: Eclipse OpenJ9 is vulnerable to a buffer overflow, caused by improper bounds checking by the jio_snprintf() and jio_vsnprintf() functions. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 9.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/157512> for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
IBM Rational ClearCase version 9 in the following components:
ClearCase version
|
Status
—|—
9.0.1.7 on linux_x86 (32-bit) | Affected
9.0.1 through 9.0.1.6
|
Affected
9.0 through 9.0.0.6
|
Affected
The solution is to install a fix that includes an updated Java™ Virtual Machine with fixes for the issues, and to apply fixes for WebSphere Application Server (WAS).
Apply the relevant fixes as listed in the table below.
Affected Versions
|
Applying the fix
—|—
9.0.1.7 on linux_x86 (32-bit) | Install Rational ClearCase Fix Pack 8 (9.0.1.8) for 9.0.1
9.0.1 through 9.0.1.6
9.0 through 9.0.0.6
| Install Rational ClearCase Fix Pack 7 (9.0.1.7) for 9.0.1
For 8.0 and earlier releases, IBM recommends upgrading to a fixed, supported version/release/platform of the product.
Note:
Affected Versions
|
Applying the fix
—|—
9.0.0.x
9.0.1.x | Apply the appropriate WebSphere Application Server fix directly to your CCRC WAN server host. No ClearCase-specific steps are necessary.
<ccase-home>/common/ccrcprofile
), then execute the script: bin/versionInfo.sh
(UNIX) or bin\versionInfo.bat
(Windows). The output includes a section “IBM WebSphere Application Server”. Make note of the version listed in this section.**Note:**there may be newer security fixes for WebSphere Application Server. Follow the link below (in the section "