There are vulnerabilities in the IBM® Runtime Environment Java™ Versions 7 and 8, which is used by IBM Rational ClearCase. These issues were disclosed as part of the IBM SDK, Java Technology Edition Quarterly CPU - Jan 2021 - Includes Oracle Jan 2021 CPU plus CVE-2020-27221, CVE-2020-14781 (deferred from Oracle Oct 2020 CPU for Java 8), CVE-2020-2773 (deferred from Oracle Apr 2020 CPU), CVE-2020-14782 (deferred from Oracle Oct 2020 CPU for Java 8)
CVEID:CVE-2020-14782
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/190100 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID:CVE-2020-14781
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the JNDI component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/190099 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID:CVE-2020-27221
**DESCRIPTION:**Eclipse OpenJ9 is vulnerable to a stack-based buffer overflow when the virtual machine or JNI natives are converting from UTF-8 characters to platform encoding. By sending an overly long string, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/195353 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2020-2773
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Java SE Security component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/179673 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Product(s) | Version(s) |
---|---|
IBM Rational ClearCase | 8.0.0 |
IBM Rational ClearCase | 9.0 |
IBM Rational ClearCase | 9.0.1 |
IBM Rational ClearCase | 9.1 |
IBM Rational ClearCase | 9.0.2 |
IBM Rational ClearCase | 8.0.1 |
The solution is to install a fix that includes an updated Java™ Virtual Machine with fixes for the issues, and to apply fixes for WebSphere Application Server (WAS).
Apply the relevant fixes as listed in the table below.
Affected Versions
|
Applying the fix
—|—
9.1 through 9.1.0.1| Install Rational ClearCase Fix Pack 1 (9.1.0.1) for 9.1
9.0.2 through 9.0.2.4
| Install Rational ClearCase Fix Pack 4 (9.0.2.4) for 9.0.2
9.0.1 through 9.0.1.12
9.0 through 9.0.0.6
| Install Rational ClearCase Fix Pack 12 (9.0.1.12) for 9.0.1
For 8.0 and earlier releases, IBM recommends upgrading to a fixed, supported version/release/platform of the product.
Notes:
If you use CCRC as an extension offering installed into an Eclipse shell (one not provided as part of a ClearCase release), or you use rcleartool or CMAPI using a Java™ Virtual Machine not supplied by IBM as part of Rational ClearCase, you should update the Java™ Virtual Machine that you use to include a fix for the above issues. Contact the supplier of your Java™ Virtual Machine and/or the supplier of your Eclipse shell.
Affected Versions
|
Applying the fix
—|—
9.0.0.x
9.0.1.x
9.0.2.x
9.1.0.x
| Apply the appropriate WebSphere Application Server fix directly to your CCRC WAN server host. No ClearCase-specific steps are necessary.
<ccase-home>/common/ccrcprofile
), then execute the script: bin/versionInfo.sh
(UNIX) or bin\versionInfo.bat
(Windows). The output includes a section “IBM WebSphere Application Server”. Make note of the version listed in this section.**Note:**there may be newer security fixes for WebSphere Application Server. Follow the link below (in the section "