There are multiple vulnerabilities in IBM® Runtime Environment Java™ Versions 6, 7, and 8, which are used by IBM Rational ClearCase. These issues were disclosed as part of the IBM Java SDK updates in October 2017.
CVEID: CVE-2017-10356 DESCRIPTION: An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors.
CVSS Base Score: 6.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/133785 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2017-10345 DESCRIPTION: An unspecified vulnerability related to the Java SE Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 3.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/133774 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)
IBM Rational ClearCase version 8 and 9 in the following components:
ClearCase version
|
Status
—|—
9.0.1 through 9.0.1.2
|
Affected
9.0 through 9.0.0.6
|
Affected
8.0 through 8.0.0.21 | Affected
8.0.1 through 8.0.1.17 | Affected
The solution is to install a fix that includes an updated Java™ Virtual Machine with fixes for the issues, and to apply fixes for WebSphere Application Server (WAS).
CCRC Client fixes
Affected Versions
|
Applying the fix
—|—
9.0.1 through 9.0.1.2
9.0 through 9.0.0.6
| Install Rational ClearCase Fix Pack 3 (9.0.1.3) for 9.0.1
8.0.1 through 8.0.1.17
8.0 through 8.0.0.21
| Install Rational ClearCase Fix Pack 18 (8.0.1.18) for 8.0.1
For 7.0, 7.1, 8.0, and earlier releases, IBM recommends upgrading to a fixed, supported version/release/platform of the product.
Notes:
* If you use CCRC as an extension offering installed into an Eclipse shell (one not provided as part of a ClearCase release), or you use rcleartool or CMAPI using a Java™ Virtual Machine not supplied by IBM as part of Rational ClearCase, you should update the Java™ Virtual Machine that you use to include a fix for the above issues. Contact the supplier of your Java™ Virtual Machine and/or the supplier of your Eclipse shell.
CCRC WAN server fixes
Affected Versions
|
Applying the fix
—|—
9.0.0.x
9.0.1.x
8.0.1.x
8.0.0.x | Apply the appropriate WebSphere Application Server fix directly to your CCRC WAN server host. No ClearCase-specific steps are necessary.
1. Determine the WAS version used by your CCRC WAN server. Navigate to the CCRC profile directory (either the profile you specified when installing ClearCase, or `<ccase-home>/common/ccrcprofile`), then execute the script: `bin/versionInfo.sh `(UNIX) or `bin\versionInfo.bat `(Windows). The output includes a section "IBM WebSphere Application Server". Make note of the version listed in this section.
and apply the latest available fix for the version of WAS used for CCRC WAN server.
* **Note:**there may be newer security fixes for WebSphere Application Server. Follow the link below (in the section "