IBM Rational ClearCase’s installer exposes server passwords in memory during the installation procedure.
CVEID: CVE-2014-6134**
DESCRIPTION:** IBM ClearCase installer exposes server passwords in memory in clear text so that a local attacker can examine the process and recover the password.
CVSS Base Score: 1.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/96814> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:H/Au:N/C:P/I:N/A:N)
ClearCase version
|
Status
—|—
8.0.1 through 8.0.1.6
|
Affected
8.0 through 8.0.0.13
|
Affected
The vulnerability only occurs during installation. Once the product is installed, there is no vulnerability to this issue.
The solution is to upgrade to Installation Manager 1.8.2 or later and upgrade to a newer fix pack of ClearCase.
Affected ClearCase Versions
|
** Applying the ClearCase fix**
—|—
8.0.1.x
| Install IM 1.8.2 or later (follow the links in IBM document 7025142), then install Rational ClearCase Fix Pack 7 (8.0.1.7) for 8.0.1.
8.0.0.x
| Install IM 1.8.2 or later (follow the links in IBM document 7025142), then install Rational ClearCase Fix Pack 14 (8.0.0.14) for 8.0.