Security Bulletin
Summary
Transport Layer Security (TLS) padding vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) like attack affects IBM Rational ClearCase.
Vulnerability Details
CVE-ID: CVE-2014-8730
Description: IBM Rational ClearCase could allow a remote attacker to obtain sensitive information, caused by the failure to check the contents of the padding bytes when using CBC cipher suites of some TLS implementations. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) like attack to decrypt sensitive information and calculate the plaintext of secure connections.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99216 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Affected Products and Versions
CMI and OSLC integrations (Windows platform)
The vulnerable component is used when ClearCase on Windows platforms is configured to integrate with IBM Rational ClearQuest or Rational Team Concert with communication over SSL (https). This applies to Base CC/CQ integrations using Change Management Interface (CMI) and to UCM-enabled CQ integration via OSLC. The UCM-enabled CQ integration without using OSLC (SQUID) is not sensitive to this attack.
The integrations may be used by Windows clients directly, or by a Windows CCRC WAN server/CM Server.
ClearCase Windows Client or CCRC WAN Server/CM Server Version | Status |
8.0.1.x | Affected if you use CMI or OSLC integrations |
8.0.0.5 and higher | Affected if you use CMI or OSLC integrations |
7.1.2.9 and higher | Affected if you use CMI or OSLC integrations |
7.0.x, 7.1.0.x, 7.1.1.x | Not affected |
Note: Linux/UNIX clients using CMI or OSLC integrations are not affected. Linux/UNIX WAN servers are not affected by this vulnerability in CMI/OSLC, but are affected by a vulnerability in IBM HTTP Server (IHS).
CCRC WAN Server (All platforms)
The vulnerable component is also used by CCRC WAN server (all platforms) and CM Server for ClearCase (all platforms) when supporting SSL connections with IBM HTTP Server.
ClearCase server version | Status of IHS vulnerability |
8.0.1.x (CCRC WAN server) | Affected (all platforms) if you use SSL |
8.0.0.x (CCRC WAN server) | Affected (all platforms) if you use SSL |
7.1.2.x (CM Server) | Affected (all platforms) if you use SSL |
7.1.1.x (CM Server) | Affected (all platforms) if you use SSL |
7.1.0.x (CM Server) | Affected (all platforms) if you use SSL |
Remediation/Fixes
Install the appropriate fix pack on your Windows systems running the vulnerable integration code (clients and servers):
Affected Versions | Applying the fix to Windows clients using an integration |
8.0.1.x | Install Rational ClearCase Fix Pack 7 (8.0.1.7) for 8.0.1 |
8.0.0.x | Install Rational ClearCase Fix Pack 14 (8.0.0.14) for 8.0 |
7.1.2.x 7.1.1.x 7.1.0.x | Customers on extended support contracts should install Rational ClearCase Fix Pack 17 (7.1.2.17) for 7.1.2 |
In addition to the above fix pack, you should install a fix for IBM HTTP server on your CCRC WAN server/CM Server host(s). Apply the fixes listed in Security Bulletin: TLS padding vulnerability affects IBM HTTP Server (CVE-2014-8730).
To install a fixpack or interim fix for IHS as referenced in that bulletin, follow the guidance in this table:
Affected ClearCase Versions | Applying an IHS Fix |
8.0.0.x, 8.0.1.x | Install the IHS fixes to your installation, following the instructions from the IHS security bulletin. (IHS is installed and maintained separately for ClearCase 8.0.x.) |
7.1.0.x 7.1.1.x 7.1.2.x | Document 1390803 explains how to update IHS for ClearCase CM Servers at release 7.1.x. Consult those instructions when applying the fix.
Install the IHS fixes listed in the IHS security bulletin referenced above. |
Get Notified about Future Security Bulletins
Important Note
IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.
References
Change History
* 22 December 2014: Original copy published
* 19 January 2015: revised to refer to fixes for IBM HTTP Server
* 18 March 2015: revised to refer to fix packs with final fixes
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Internal Use Only
The eventual solution is to upgrade to a fix pack of ClearCase that does not require the environment variable to avoid this vulnerability. Please see below for information on the fixes available.
Was this topic helpful?
Document Information
Modified date:
10 July 2018
UID
swg21692655