IBM Support

Security Bulletin: Vulnerabilities in RequisitePro GSKit Component (CVE-2014-0076)

Created by Carlos Alfonso… on
Published URL:
https://www.ibm.com/support/pages/node/513213
513213

Security Bulletin


Summary

An attacker running a program on the same machine as where the victim is running a program could use CPU timing information to discover key information.

Vulnerability Details

 Subscribe to My Notifications to be notified of important product support alerts like this.
  • Follow this link for more information (requires login with your IBM ID)

CVE-ID: CVE-2014-0076

Description: An attacker running a program on the same machine as where the victim is running a program could use CPU timing information to discover key information about certain kinds of binary type Elliptic Curves used in Digital signatures during signing operations. Although GSKit only generates Prime type Elliptic Curves, externally generated keys may be imported in GSKit.


The IBM GSKit is used by RequisitePro when supporting SSL connections.

CVSS Base Score: 2.1


CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/91990
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

ReqPro version

Status
Rational RequisitePro 7.1.4 through 7.1.4.3
Affected
Rational RequisitePro 7.1.3 through 7.1.3.10
Affected if you use IBM HTTP Server version 8 or higher
Rational RequisitePro 7.1.2 through 7.1.2.13
Affected if you use IBM HTTP Server version 8 or higher
Rational RequisitePro 7.0.x, 7.1.0.x, 7.1.1.x
Not Affected

Remediation/Fixes

The solution is to upgrade to a fix pack of ReqPro that has a newer GSKit component that corrects these vulnerabilities, and to update IBM HTTP Server. Please see below for information on the fixes available.

Affected version
Remediation
7.1.4.x
7.1.3.x
7.1.2.x

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

None

Change History

* 24 June 2014: Original copy published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Internal Use Only

PSIRT Advisory 1731, record 36621. Monica Patel approved 10June.
(adv 1731, ECDSA, 2014B)

[{"Product":{"code":"SSSHCT","label":"Rational RequisitePro"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF033","label":"Windows"}],"Version":"7.1.2;7.1.2.1;7.1.2.10;7.1.2.11;7.1.2.12;7.1.2.13;7.1.2.2;7.1.2.3;7.1.2.4;7.1.2.5;7.1.2.6;7.1.2.7;7.1.2.8;7.1.2.9;7.1.3;7.1.3.1;7.1.3.10;7.1.3.2;7.1.3.3;7.1.3.4;7.1.3.5;7.1.3.6;7.1.3.7;7.1.3.8;7.1.3.9;7.1.4;7.1.4.1;7.1.4.2;7.1.4.3","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
16 June 2018

UID

swg21675797

Page Feedback