OpenSSL has security vulnerabilities that allows a remote attacker to exploit the application. Respective security vulnerabilities are discussed in detail in the subsequent sections.
This section includes the vulnerability details that affects the Rational Build Forge.
CVEID: CVE-2018-0734
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a timing side channel attack in the DSA signature algorithm. An attacker could exploit this vulnerability using variations in the signing algorithm to recover the private key. CVSS Base Score: 3.7 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152085> for the current score. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2018-5407
DESCRIPTION: Multiple SMT/Hyper-Threading architectures and processors could allow a local attacker to obtain sensitive information, caused by execution engine sharing on Simultaneous Multithreading (SMT) architecture. By using the PortSmash new side-channel attack, an attacker could run a malicious process next to legitimate processes using the architecture’s parallel thread running capabilities to leak encrypted data from the CPU’s internal processes.
NOTE: This vulnerability is known as PortSmash.
CVSS Base Score: 5.1 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152484> for the current score. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVE-ID:CVE-2019-1559
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by the failure to immediately close the TCP connection after the hosts encounter a zero-length record with valid padding. An attacker could exploit this vulnerability using a 0-byte record padding-oracle attack to decrypt traffic. **CVSS Base Score:**5.8 CVSS Temporal Score:<https://exchange.xforce.ibmcloud.com/vulnerabilities/157514> for more information *CVSS Environmental Score: **Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)
IBM Rational Build Forge from 8.0.0.10.
You must download the Fix pack specified in the following table and apply it.
Affected Supporting Product
|
Remediation/Fix
—|—
IBM Rational Build Forge 8.0.0.10
| Rational Build Forge 8.0.0.11 Download .
None.