Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects multiple IBM Rational products based on IBM Jazz technology (CVE-2014-3566, CVE-2014-6457, CVE-2014-6468)

Summary

There are multiple vulnerabilities in IBM SDK Java Technology Edition, Version 1.6 that is used by IBM Jazz Team Server affecting the following IBM Jazz Team Server based Applications: Collaborative Lifecycle Management (CLM), Rational Requirements Composer (RRC), Rational DOORS Next Generation (RDNG), Rational Engineering Lifecycle Manager (RELM), Rational Team Concert (RTC), Rational Quality Manager (RQM), Rational Rhapsody Design Manager (Rhapsody DM), and Rational Software Architect (RSA DM).

This also includes a fix for the Padding Oracle On Downgraded Legacy Encryption (POODLE) SSLv3 vulnerability (CVE-2014-3566). These were disclosed as part of the IBM Java SDK updates in October 2014.

Vulnerability Details

There are multiple vulnerabilities in IBM SDK Java Technology Edition, Version 1.6 that is used by IBM Jazz Team Server applications. These issues were disclosed as part of the IBM Java SDK updates in October 2014.

IBM Jazz Team Server may be deployed on either IBM WebSphere Application Server (WAS) or Apache Tomcat. The remediation instructions are dependent on whether your deployment uses WAS or Tomcat.

IBM Jazz Team Server and the CLM applications (RRC, RTC, RQM, RDNG), RELM, Rhapsody DM, and RSA DM applications are affected by the following vulnerabilities disclosed in and corrected by the IBM Java SDK updates in October 2014:

CVE-ID:CVE-2014-3566

**Description:**Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.

CVSS Base Score: 4.3 **CVSS Temporal Score: **See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97013&gt; for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID: CVE-2014-6457

Description: An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact.

CVSS Base Score: 4 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97148&gt; for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

CVEID: CVE-2014-6468

Description: An unspecified vulnerability related to the Hotspot component has complete confidentiality impact, complete integrity impact, and complete availability impact.

CVSS Base Score: 6.9 CVSS TemporalScore: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97138&gt; for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)

Affected Products and Versions

Rational Quality Manager 2.0 - 2.0.1
Rational Quality Manager 3.0 - 3.0.1.6 iFix3
Rational Quality Manager 4.0 - 4.0.7
Rational Quality Manager 5.0 - 5.0.2

Rational Team Concert 2.0 - 2.0.0.2
Rational Team Concert 3.0 - 3.0.6 iFix3
Rational Team Concert 4.0 - 4.0.7
Rational Team Concert 5.0 - 5.0.2

Rational Requirements Composer 2.0 - 2.0.0.4
Rational Requirements Composer 3.0 - 3.0.1.6 iFix 3
Rational Requirements Composer 4.0 - 4.0.7

Rational DOORS Next Generation 4.0 - 4.0.7
Rational DOORS Next Generation 5.0 - 5.0.2

Rational Engineering Lifecycle Manager 1.0- 1.0.0.1
Rational Engineering Lifecycle Manager 4.0.3 - 4.0.7
Rational Engineering Lifecycle Manager 5.0 - 5.0.2

Rational Rhapsody Design Manager 3.0 - 3.0.1
Rational Rhapsody Design Manager 4.0 - 4.0.7
Rational Rhapsody Design Manager 5.0 - 5.0.2

Rational Software Architect Design Manager 3.0 - 3.0.1
Rational Software Architect Design Manager 4.0 - 4.0.7
Rational Software Architect Design Manager 5.0 - 5.0.2

Remediation/Fixes

IBM recommends that you review your entire environment to identify areas that enable the SSLv3 protocol and take appropriate mitigation and remediation actions. The most immediate mitigation action that can be taken is disabling SSLv3. You should verify disabling SSLv3 does not cause any compatibility issues.

If your product is deployed on WebSphere Application Server (WAS) and your deployment does not use an Eclipse based client nor the RM Browser plugin, then it is sufficient to continue using the existing version of the your Rational product, and only upgrade the JRE in the WAS server according to these instructions:
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect WebSphere Application Server October 2014 CPU.

Otherwise:
Upgrade your products to version 4.0.7 or5.0.2 or later, and then perform the following upgrades:

How to update the IBM SDK for Java of IBM Rational products based on version 4.0.6 or later of IBM’s Jazz technology

OR:
Note: for any of the below remediations, if you are a WAS deployment, then WAS must also be upgraded, in addition to performing your product upgrades.

• For these 3.x releases upgrade to version 3.0.1.6 iFix 5

  • Rational Quality Manager 3.0.1.6 iFix5
  • Rational Team Concert 3.0.1.6 iFix5
  • Rational Requirements Composer 3.0.1.6 iFix5
• • • For the 3.x releases of Rational Software Architect Design Manager and Rhapsody Design Manager, if you cannot upgrade to 4.0.7 or 5.0, contact IBM support for guidance.

• For the 2.x releases, contact IBM support for additional details on the fix.

• For the 1.x releases of Rational Engineering Lifecycle Manager, contact IBM support for additional details on the fix.

Workarounds and Mitigations

None