Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Rational ClearCase (CVE-2018-0734, CVE-2018-5407)

Summary

OpenSSL vulnerabilities were disclosed on October 30 2018 and November 2 2018 by the OpenSSL Project. OpenSSL is used by IBM Rational ClearCase. IBM Rational ClearCase has addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2018-0734 DESCRIPTION: The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/152085 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2018-5407 DESCRIPTION: Multiple SMT/Hyper-Threading architectures and processors could allow a local attacker to obtain sensitive information, caused by execution engine sharing on Simultaneous Multithreading (SMT) architecture. By using the PortSmash new side-channel attack, an attacker could run a malicious process next to legitimate processes using the architecture’s parallel thread running capabilities to leak encrypted data from the CPU’s internal processes. Note: This vulnerability is known as PortSmash.
CVSS Base Score: 5.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/152484 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

IBM Rational ClearCase versions:

Version

|

Status

—|—

9.0.1 through 9.0.1.5

|

Affected

9.0 through 9.0.0.6

|

Affected

8.0.1 through 8.0.1.19

|

Affected

8.0 through 8.0.0.21

|

Affected

Not all deployments of Rational ClearCase use OpenSSL in a way that is affected by these vulnerabilities.

You are vulnerable if your use of Rational ClearCase includes any of these configurations:

1. You use the base ClearCase/ClearQuest integration client on any platform, configured to use SSL to communicate with a ClearQuest server.
2. You use the UCM/ClearQuest integration on UNIX/Linux clients, configured to use SSL to communicate with a ClearQuest server.
   Note: Windows clients using the UCM/ClearQuest integration are not vulnerable.
3. On UNIX/Linux clients, you use the Change Management Integration (CMI), when configured to use SSL to communicate with the server.
   Note: Windows clients using the CMI integration are not vulnerable.
4. You use ratlperl, ccperl, or cqperl to run your own perl scripts, and those scripts use SSL connections.

Remediation/Fixes

Apply a fix pack as listed in the table below. The fix pack includes OpenSSL 1.0.2q.

Affected Versions

|

Applying the fix

—|—

9.0.1 through 9.0.1.5
9.0 through 9.0.0.6

| Install Rational ClearCase Fix Pack 6 (9.0.1.6) for 9.0.1

8.0.1 through 8.0.1.19
8.0 through 8.0.0.21

| Install Rational ClearCase Fix Pack 20 (8.0.1.20) for 8.0.1

For 8.0.x and earlier releases, IBM recommends upgrading to a fixed, supported version/release/platform of the product.

Workarounds and Mitigations

None.