Security vulnerabilities have been discovered in OpenSSL that were reported on June 5, 2014 by the OpenSSL Project.
CVE-ID:CVE-2014-0224
**Description:**OpenSSL is vulnerable to a man-in-the-middle attack, caused by the use of weak keying material in SSL/TLS clients and servers. A remote attacker could exploit this vulnerability using a specially-crafted handshake to conduct man-in-the-middle attacks to decrypt and modify traffic.
CVSS Base Score: 5.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93586> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CVE-ID:CVE-2014-3470
**Description:**OpenSSL is vulnerable to a denial of service, caused by the implementation of anonymous ECDH ciphersuites. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93589> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVEID: CVE-2015-0292**
DESCRIPTION:** OpenSSL could allow a remote attacker to execute arbitrary code on the system, caused by an error when processing base64 encoded data. An attacker could exploit this vulnerability using specially-crafted base 64 data to corrupt memory and execute arbitrary code on the system and cause a denial of service.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101670 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
IBM Rational ClearCase versions:
Version
|
Status
—|—
8.0.1 through 8.0.1.3
|
Affected
8.0 through 8.0.0.10
|
Affected
7.1.0.x, 7.1.1.x (all versions)
7.1.2 through 7.1.2.13
|
Affected
7.0.x
|
Not affected
Not all deployments of Rational ClearCase use OpenSSL in a way that is affected by these vulnerabilities.
You are vulnerable if your use of Rational ClearCase includes any of these configurations:
You use the base ClearCase/ClearQuest integration client on any platform, configured to use SSL to communicate with a ClearQuest server.
You use the UCM/ClearQuest integration on UNIX/Linux clients, configured to use SSL to communicate with a ClearQuest server.
Note: Windows clients using the UCM/ClearQuest integration are not vulnerable.
You use the Change Management Integrations for base ClearCase with ClearQuest or Rational Team Concert (RTC), or for UCM with ClearQuest or RTC on UNIX/Linux clients, configured to use SSL to communicate with a ClearQuest or RTC server.
Note: Windows clients using the CMI integration are not vulnerable.
You use ratlperl, ccperl, or cqperl to run your own perl scripts, and those scripts use SSL connections.
Apply a fix pack for your appropriate release of ClearCase. These fix packs include OpenSSL 1.0.1h.
Affected Versions
|
** Applying the fix**
—|—
8.0.1.x
| Install Rational ClearCase Fix Pack 4 (8.0.1.4) for 8.0.1
8.0.0.x
| Install Rational ClearCase Fix Pack 11 (8.0.0.11) for 8.0
7.1.2.x
| Install Rational ClearCase Fix Pack 14 (7.1.2.14) for 7.1.2
7.1.0.x
7.1.1.x
| Install Rational ClearCase Fix Pack 14 (7.1.2.14) for 7.1.2
Disable the ClearCase/ClearQuest integration and any customized defined use of ratlperl, ccperl, or cqperl with SSL until you apply the fixes listed above.