OpenSSL has security vulnerability that allows a remote attacker to exploit the application. Respective security vulnerability details are discussed in the subsequent section.
This section includes the vulnerability details that affects the Rational Build Forge.
CVEID:CVE-2019-1547
DESCRIPTION: OpenSSL could allow a local authenticated attacker to obtain sensitive information, caused by the ability to construct an EC group missing the cofactor using explicit parameters instead of using a named curve. An attacker could exploit this vulnerability to obtain full key recovery during an ECDSA signature operation. CVSS Base Score: 5.5 CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/167020>_ for the current score. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
CVE-ID:CVE-2019-1549
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by the failure to include protection in the event of a fork() system call to ensure that the parent and child processes do not share the same RNG state. An attacker could exploit this vulnerability to obtain sensitive information. **CVSS Base Score:**3.7 **CVSS Temporal Score:**See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/167021>_ for the current score. *CVSS Environmental Score: **Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)
CVEID: CVE-2019-1552 **DESCRIPTION:**OpenSSL could allow a local attacker to bypass security restrictions, caused by the building of . mingw programs or Windows programs with world writable path defaults. An attacker could exploit this vulnerability to modify default configuration, insert CA certificates, modify (or even replace) existing engine modules. **CVSS Base Score:**2.9 **CVSS Temporal Score:**See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/164498>_ for the current score. *CVSS Environmental Score:**Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2019-1563 DESCRIPTION:OpenSSL could allow a remote attacker to obtain sensitive information, caused by a padding oracle attack inPKCS7_dataDecodeandCMS_decrypt_set1_pkey. By sending an overly large number of messages to be decrypted, an attacker could exploit this vulnerability to obtain sensitive information. **CVSS Base Score:**3.7 **CVSS Temporal Score:**See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/167022>_ for the current score. *CVSS Environmental Score:**Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
IBM Rational Build Forge from 8.0.0.13.
You must download the Fix pack specified in the following table and apply it.
Affected Supporting Product
|
Remediation/Fix
—|—
IBM Rational Build Forge 8.0.0.13
| Rational Build Forge 8.0.0.14 Download.
None.