Security Bulletin: ClearCase installer exposes server passwords in memory (CVE-2014-6134)

Summary

IBM Rational ClearCase’s installer exposes server passwords in memory during the installation procedure.

Vulnerability Details

CVEID: CVE-2014-6134**
DESCRIPTION:** IBM ClearCase installer exposes server passwords in memory in clear text so that a local attacker can examine the process and recover the password.
CVSS Base Score: 1.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/96814&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:H/Au:N/C:P/I:N/A:N)

Affected Products and Versions

ClearCase version

|

Status

—|—

8.0.1 through 8.0.1.6

|

Affected

8.0 through 8.0.0.13

|

Affected

The vulnerability only occurs during installation. Once the product is installed, there is no vulnerability to this issue.

Remediation/Fixes

The solution is to upgrade to Installation Manager 1.8.2 or later and upgrade to a newer fix pack of ClearCase.

Affected ClearCase Versions

|

** Applying the ClearCase fix**

—|—

8.0.1.x

| Install IM 1.8.2 or later (follow the links in IBM document 7025142), then install Rational ClearCase Fix Pack 7 (8.0.1.7) for 8.0.1.

8.0.0.x

| Install IM 1.8.2 or later (follow the links in IBM document 7025142), then install Rational ClearCase Fix Pack 14 (8.0.0.14) for 8.0.