IBM Rational ClearCase is affected by cURL/libcURL vulnerabilities.
CVEID: CVE-2017-1000100**
DESCRIPTION:** cURL could allow a remote attacker to obtain sensitive information, caused by a TFTP URL processing error when doing a TFTP transfer. By redirecting a libcurl-using client request to a TFTP URL containing an overly long file name, an attacker could exploit this vulnerability to send private memory contents and obtain sensitive information.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/130190 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2017-1000254 DESCRIPTION: libcurl is vulnerable to a denial of service, caused by a buffer overread in the string parser. By sending a specially-crafted response to a PWD command, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/133027 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2017-1000257**
DESCRIPTION:** cURL is vulnerable to a denial of service, caused by a buffer overread in the IMAP handler. By using a specially crafted IMAP FETCH response, a remote attacker could exploit this vulnerability to cause the application to crash or obtain sensitive information.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/134033 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)
The cURL component is used in the CMI integration, the OSLC-based ClearQuest integration, and in the automatic view client.
ClearCase client version
|
Status
—|—
9.0.1 through 9.0.1.1
|
Affected
9.0 through 9.0.0.5
|
Affected
8.0.1 through 8.0.1.15
|
Affected
8.0 through 8.0.0.21
|
Affected
The solution is to upgrade to a fix pack of ClearCase that disables the vulnerable configuration in the cURL component.
Affected Versions
|
** Applying the fix**
—|—
9.0.1 through 9.0.1.1
| Install Rational ClearCase Fix Pack 2 (9.0.1.2) for 9.0.1
9.0 through 9.0.0.5
| Install Rational ClearCase Fix Pack 6 (9.0.0.6) for 9.0
8.0.1 through 8.0.1.15
8.0 through 8.0.0.21
| Install Rational ClearCase Fix Pack 16 (8.0.1.16) for 8.0.1
For 7.0, 7.1, and earlier releases, IBM recommends upgrading to a fixed, supported version/release/platform of the product.
None