IBM48505FA45D5EF2C2F2DAF821BAFF313372A3A5C481E4A4C80F00A5B47B0CAD76Security Bulletin: Vulnerabilities in ClearQuest OpenSSL Component (CVE-2013-4353, CVE-2013-6450, CVE-2013-6449 )
EPSS
Percentile
99.9%
Summary
The OpenSSL commponent is embedded in cqperl. Customers may be affected when there are Perl hooks/scripts which use SSL connections. ClearQuest itself doesn’t provide any services using OpenSSL.
Vulnerability Details
| Subscribe to My Notifications to be notified of important product support alerts like this.
- Follow this link for more information (requires login with your IBM ID)
—|—
CVE ID:CVE-2013-4353
Description: OpenSSL is vulnerable to a denial of service. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a connecting client to crash.
CVSS Base Sc****ore: 5 CVSS Temporal Score:<https://exchange.xforce.ibmcloud.com/vulnerabilities/90201> for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE ID:CVE-2013-6450
Description: OpenSSL is vulnerable to a denial of service. A remote attacker could exploit this vulnerability to cause the daemon to crash.
CVSS Base Score: 4.3 CVSS Temporal Score:<https://exchange.xforce.ibmcloud.com/vulnerabilities/90069> for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVE ID:CVE-2013-6449
Description: OpenSSL is vulnerable to a denial of service. A remote attacker could exploit this vulnerability using specially-crafted traffic from a TLS 1.2 client to cause the daemon to crash.
CVSS Base Score: 4.3 CVSS Temporal Score:<https://exchange.xforce.ibmcloud.com/vulnerabilities/90068> for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
Affected Products and Versions
IBM Rational ClearQuest versions 7.1.1 through 7.1.1.9, 7.1.2 through** **7.1.2.12, 8.0.0 through 8.0.0.9, and 8.0.1 through 8.0.1.2 where you have written Perl hooks or scripts that use SSL connections.
Remediation/Fixes
The solution is to upgrade to a version of ClearQuest that has a newer OpenSSL component that corrects these vulnerabilities. Select the proper fix for your version:
Client fixes** (for Windows ClearQuest clients meeting the description above of vulnerable configurations)**
Systems running 8.0.1 through 8.0.1.2:
* Upgrade to Rational ClearQuest Fix Pack 3 (8.0.1.3) for 8.0.1** **
Systems running 8.0.0 through 8.0.0.9:
* Upgrade to Rational ClearQuest Fix Pack 10 (8.0.0.10) for 8.0
Systems running 7.1.1 through 7.1.1.9, or 7.1.2 through** 7.1.2.12:
* Upgrade to Rational ClearQuest Fix Pack 13 (7.1.2.13) for 7.1.2.
**
Note: 7.1.2.13 inter-operates with all 7.1.1.x systems, and can be installed in the same way as 7.1.1.x fix packs.
Note: There is a serious security issue CVE-2014-0160 which affects the above releases. It is recommended that you upgrade to the Interim fix (contains OpenSSL 1.0.1g) associated with the Fix Packs listed above. Please read Security Bulletin: Rational ClearQuest affected by vulnerability in OpenSSL (CVE-2014-0160)****for details.
Workarounds and Mitigations
None
Related
EPSS
Percentile
99.9%