Security Bulletin: Cross-site Scripting vulnerabilities affect IBM Rational products based on IBM Jazz technology

Summary

Potential Cross-site scripting vulnerabilities affect the following IBM Rational Products: Rational Engineering Lifecycle Manager (RELM), Rational Rhapsody Design Manager (Rhapsody DM)

Vulnerability Details

CVEID: CVE-2016-8975**
DESCRIPTION:** IBM Rhapsody DM and IBM Rational Engineering Lifecycle Manager are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118912 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2017-1245**
DESCRIPTION:** IBM Rhapsody Design Manager is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/124580 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2017-1249**
DESCRIPTION:** IBM Rhapsody DM is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/124629 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2017-1287**
DESCRIPTION:** IBM Rhapsody DM could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim.
CVSS Base Score: 6.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/125148 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N)

Affected Products and Versions

Rational Rhapsody Design Manager 5.0.0-5.0.2, 6.0 - 6.0.3 (Versions 6.0.4 and above are not affected)

Rational Engineering Lifecycle Manager 6.0 - 6.0.2 (Versions 6.0.3 and above are not affected)

Remediation/Fixes

For Rational Rhapsody Design Manager 5.0.0-5.0.2, 6.0 - 6.0.3 releases, upgrade to one of the following versions:

* Upgrade to version 5.0.2 ifix19a or later:

<https://jazz.net/downloads/design-management/releases/5.0.2iFix19a&gt;
* Upgrade to version 6.0.3 ifix6 or later:

<https://jazz.net/downloads/design-management/releases/6.0.3iFix6&gt;
* Or upgrade to version 6.0.2 ifix11 or later:

<https://jazz.net/downloads/design-management/releases/6.0.2iFix11&gt; For Rational Engineering Lifecycle Manager 6.0 - 6.0.2 releases, upgrade to one of the following versions:
* Upgrade to version 6.0.3 or later:

<https://jazz.net/downloads/rational-engineering-lifecycle-manager/&gt;
* Or upgrade to 6.0.2 ifix10 or later:

1. Get the CLM ifix10 or later from: CLM 6.0.2 iFix10
2. Start the package installation and select RELM when asked about the products to be updated.

• For the 4.x releases, and any prior versions of the products listed above, IBM recommends upgrading to a fixed, supported version/release/platform of the product.

If the iFix is not found in the Fix Portal please contact IBM Support.

Workarounds and Mitigations

None