IBM Rational ClearQuest is vulnerable to attacks on its SSL/TLS communications due to improper validation of server certificates.
CVEID: CVE-2016-2922 DESCRIPTION: IBM ClearQuest (CQ OSLC linkages, EmailRelay) fails to check the SSL certificate against the requested hostname. It is subject to a man-in-the-middle attack with an impersonating server observing all the data transmitted to the real server.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113353 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
IBM Rational ClearQuest version 8 and 9 in the following components:
ClearQuest version
|
Status
—|—
9.0.1 through 9.0.1.3
|
Affected
9.0 through 9.0.0.6
|
Affected
8.0 through 8.0.0.21 | Affected
8.0.1 through 8.0.1.17 | Affected
Apply a fix pack as listed in the table below.
Affected Versions
|
Applying the fix
—|—
9.0.1 through 9.0.1.3
9.0 through 9.0.0.6
| Install Rational ClearQuest Fix Pack 4 (9.0.1.4) for 9.0.1
8.0.1 through 8.0.1.17
8.0 through 8.0.0.21
| Install Rational ClearQuest Fix Pack 18 (8.0.1.18) for 8.0.1
For 7.0.x, 7.1.x, 8.0.x and earlier releases, IBM recommends upgrading to a fixed, supported version/release/platform of the product.
None.