Security Bulletin
Summary
There are multiple vulnerabilities in IBM® Runtime Environment Java™ Technology Edition, Versions 5 and 6 that are used by IBM Rational ClearCase. These issues were disclosed as part of the IBM Java SDK updates in January 2015. This bulletin also addresses the “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability.
Vulnerability Details
CVEID: CVE-2015-0138
DESCRIPTION: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID: CVE-2014-6593
DESCRIPTION: An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/100153 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
CVEID: CVE-2015-0383
DESCRIPTION: An unspecified vulnerability in Oracle Java SE and JRockit related to the Hotspot component has no confidentiality impact, partial integrity impact, and complete availability impact.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/100148 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:N/I:P/A:C)
CVEID: CVE-2015-0410
DESCRIPTION: An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/100151 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Affected Products and Versions
Only the ClearCase Remote Client/ClearTeam Explorer component of ClearCase is affected by CVE-2014-6593, CVE-2015-0383, CVE-2015-0410.
ClearCase Remote Client/ClearTeam Explorer version | Status |
8.0.1 through 8.0.1.7 | Affected by all CVEs listed above |
8.0 through 8.0.0.14 | Affected by all CVEs listed above |
7.1.2 through 7.1.2.17 | Affected by all CVEs listed above |
7.1.0.x, 7.1.1.x (all versions and fix packs) | Affected by all CVEs listed above |
However, other ClearCase components are affected by the "FREAK" attack, as disclosed in CVE-2015-0138 and CVE-2015-0204. See the following bulletins for additional fixes for other components of ClearCase:
Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase (CVE-2015-0138)
Security Bulletin: Vulnerabilities in GSKit affect IBM Rational ClearCase (CVE-2015-0138)
Security Bulletin: Vulnerabilities in OpenSSL affect Rational ClearCase (CVE-2014-3570, CVE-2014-3572, CVE-2015-0204)
Remediation/Fixes
The solution is to update to the latest fix pack.
Affected Versions | Applying the fix |
8.0.1 through 8.0.1.7 | Install Rational ClearCase Fix Pack 8 (8.0.1.8) for 8.0.1 |
8.0 through 8.0.0.14 | Install Rational ClearCase Fix Pack 15 (8.0.0.15) for 8.0 |
7.1.2 through 7.1.2.17 7.1.1.x (all fix packs) 7.1.0.x (all fix packs) | Customers on extended support contracts should install Rational ClearCase Fix Pack 18 (7.1.2.18) for 7.1.2 |
For unsupported versions, IBM recommends upgrading to a fixed, supported version/release/platform of the product.
Notes:
- If you use CCRC as an extension offering installed into an Eclipse shell (one not provided as part of a ClearCase release), you should update the Java™ Virtual Machine used by Eclipse to include a fix for the above issues. Contact the supplier of your Eclipse or Java™ Virtual Machine for instructions on updating Eclipse.
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
Important Note
IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.
References
Acknowledgement
CVE-2015-0138 was reported to IBM by Karthikeyan Bhargavan of the PROSECCO team at INRIA
Change History
* 2 April 2015: Original copy published
* 17 April 2015: updated to cross-reference related fixes.
* 24 June 2015: fix is now included in fix packs
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Internal Use Only
The previous fixes are on the test fix portal, included in the following TestFixes:
7.1.2.17.001
8.0.0.14.001
8.0.1.07.003
they can be installed using Installation Manager.
For 2015B, we will revise the instructions to apply a fix pack instead
The test fixes above supersede the previous manually-installed JRE solution.
7.0.x.x has Java 1.4, it has no fixes, we are contacting extended support customers directly.
Was this topic helpful?
Document Information
Modified date:
10 July 2018
UID
swg21698749