Security Bulletin
Summary
OpenSSL vulnerabilities were disclosed on January 8, 2015 by the OpenSSL Project. This includes “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability. OpenSSL is used by ratlperl for SSL communications. Rational RequisitePro has addressed the applicable CVEs.
Vulnerability Details
CVEID: CVE-2014-3570
DESCRIPTION: An unspecified error in OpenSSL related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact.
CVSS Base Score: 2.6
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99710 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)
CVEID: CVE-2014-3572
DESCRIPTION: OpenSSL could provide weaker than expected security. The client accepts a handshake using an ephemeral ECDH ciphersuite with the server key exchange message omitted. An attacker could exploit this vulnerability to launch further attacks on the system.
CVSS Base Score: 1.2
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99705 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:H/Au:N/C:N/I:P/A:N)
CVEID: CVE-2015-0204
DESCRIPTION: A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers.
This vulnerability is also known as the FREAK attack.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/#/vulnerabilities/99707 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Affected Products and Versions
IBM Rational RequisitePro versions:
Version | Status |
7.1.4 through 7.1.4.7 | Affected |
7.1.3 through 7.1.3.14 | Affected |
7.1.2 through 7.1.2.17 | Affected |
7.1.1.x (all versions) | Affected |
Not all deployments of Rational RequisitePro use OpenSSL in a way that is affected by these vulnerabilities.
You are vulnerable if your use of Rational RequisitePro includes any of these configurations:
- You use SSL connections in perl scripts run by ratlperl or cqperl
- You integrate with ClearQuest. See Security Bulletin: Vulnerabilities in OpenSSL affect Rational ClearQuest (CVE-2014-3570, CVE-2014-3572, CVE-2015-0204)
Remediation/Fixes
The fix is to upgrade RequisitePro to 7.1.2.17, 7.1.3.14, or 7.1.4.7 and install OpenSSL 1.0.1l for IBM Rational RequisitePro.
Upgrade RequisitePro:
Affected version | Applying the fix |
7.1.4.x (all versions) | |
7.1.3.x (all versions) | |
7.1.2.x (all versions) and 7.1.1.x (all versions) | Install Rational RequisitePro Fix Pack 17 (7.1.2.17). Note: 7.1.2.17 interoperates with all 7.1.x.x systems, and can be installed in the same way as 7.1.x.x fix packs. |
Contact Rational Customer support for instructions to download and install the updated version of OpenSSL.
You should verify applying this fix does not cause any compatibility issues.
Workarounds and Mitigations
Disable any script that uses SSL and runs in ratlperl or cqperl until you apply the fixes listed above.
Get Notified about Future Security Bulletins
References
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Internal Use Only
The fixes are LA iFixes that apply on top of the 2015A fix packs
(7.1.2.17, 8.0.0.14, 8.0.1.7). Customers should upgrade to those
releases before applying these fixes.
For each platform, for each affected release, there is a zip file on the
Rational fix portal with the fixes, and a matching README file with
manual installation instructions. The customer should download the
fixes and READMEs for their platform(s)/release(s).
The plan is to incorporate all these fixes in 2015B fix packs, but we
are publishing them early to meet the IBM security team's guidelines.
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
swg21702760