Security Bulletin: Vulnerability in cURL component shipped with IBM Rational ClearCase (CVE-2015-3153)

Summary

IBM Rational ClearCase is affected by a cURL/libcURL CURLOPT_HTTPHEADER information disclosure vulnerability.

Vulnerability Details

CVEID: CVE-2015-3153**
DESCRIPTION:** cURL/libcURL could allow a remote attacker to obtain sensitive information, caused by custom HTTP headers with sensitive content being sent to the server and intermediate proxy by the CURLOPT_HTTPHEADER option. An attacker could exploit this vulnerability to obtain authentication cookies or other sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/102989 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

The cURL component is used in the CMI integration, the OSLC-based ClearQuest integration, and in the automatic view client.

ClearCase client version

|

Status

—|—

8.0.1 through 8.0.1.8

|

Affected

8.0 through 8.0.0.15

|

Affected

7.1.2 through 7.1.2.18

|

Affected

7.1.0.x, 7.1.1.x (all versions and fix packs)

|

Not affected

Remediation/Fixes

The solution is to upgrade to a fix pack of ClearCase that has a fix in the cURL component.

Affected Versions

|

** Applying the fix**

—|—

8.0.1 through 8.0.1.8

| Install Rational ClearCase Fix Pack 9 (8.0.1.9) for 8.0.1

8.0 through 8.0.0.15

| Install Rational ClearCase Fix Pack 16 (8.0.0.16) for 8.0

7.1.2 through 7.1.2.18

| Customers on extended support contracts should install Rational ClearCase Fix Pack 19 (7.1.2.19) for 7.1.2

Workarounds and Mitigations

None