IBM Support

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects multiple IBM Rational products based on IBM Jazz technology (CVE-2014-3566, CVE-2014-6457, CVE-2014-6468)

Created by Michael J. Saylor on
Published URL:
https://www.ibm.com/support/pages/node/522647
522647

Security Bulletin


Summary

There are multiple vulnerabilities in IBM SDK Java Technology Edition, Version 1.6 that is used by IBM Jazz Team Server affecting the following IBM Jazz Team Server based Applications: Collaborative Lifecycle Management (CLM), Rational Requirements Composer (RRC), Rational DOORS Next Generation (RDNG), Rational Engineering Lifecycle Manager (RELM), Rational Team Concert (RTC), Rational Quality Manager (RQM), Rational Rhapsody Design Manager (Rhapsody DM), and Rational Software Architect (RSA DM).

This also includes a fix for the Padding Oracle On Downgraded Legacy Encryption (POODLE) SSLv3 vulnerability (CVE-2014-3566). These were disclosed as part of the IBM Java SDK updates in October 2014.

Vulnerability Details

There are multiple vulnerabilities in IBM SDK Java Technology Edition, Version 1.6 that is used by IBM Jazz Team Server applications. These issues were disclosed as part of the IBM Java SDK updates in October 2014.

IBM Jazz Team Server may be deployed on either IBM WebSphere Application Server (WAS) or Apache Tomcat. The remediation instructions are dependent on whether your deployment uses WAS or Tomcat.

IBM Jazz Team Server and the CLM applications (RRC, RTC, RQM, RDNG), RELM, Rhapsody DM, and RSA DM applications are affected by the following vulnerabilities disclosed in and corrected by the IBM Java SDK updates in October 2014:

CVE-ID: CVE-2014-3566

Description: Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID: CVE-2014-6457

Description: An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact.

CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97148 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

CVEID: CVE-2014-6468

Description: An unspecified vulnerability related to the Hotspot component has complete confidentiality impact, complete integrity impact, and complete availability impact.

CVSS Base Score: 6.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97138 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)

Affected Products and Versions

Rational Quality Manager 2.0 - 2.0.1
Rational Quality Manager 3.0 - 3.0.1.6 iFix3
Rational Quality Manager 4.0 - 4.0.7
Rational Quality Manager 5.0 - 5.0.2

Rational Team Concert 2.0 - 2.0.0.2
Rational Team Concert 3.0 - 3.0.6 iFix3
Rational Team Concert 4.0 - 4.0.7
Rational Team Concert 5.0 - 5.0.2

Rational Requirements Composer 2.0 - 2.0.0.4
Rational Requirements Composer 3.0 - 3.0.1.6 iFix 3
Rational Requirements Composer 4.0 - 4.0.7

Rational DOORS Next Generation 4.0 - 4.0.7
Rational DOORS Next Generation 5.0 - 5.0.2

Rational Engineering Lifecycle Manager 1.0- 1.0.0.1
Rational Engineering Lifecycle Manager 4.0.3 - 4.0.7
Rational Engineering Lifecycle Manager 5.0 - 5.0.2

Rational Rhapsody Design Manager 3.0 - 3.0.1
Rational Rhapsody Design Manager 4.0 - 4.0.7
Rational Rhapsody Design Manager 5.0 - 5.0.2

Rational Software Architect Design Manager 3.0 - 3.0.1
Rational Software Architect Design Manager 4.0 - 4.0.7
Rational Software Architect Design Manager 5.0 - 5.0.2

Remediation/Fixes

IBM recommends that you review your entire environment to identify areas that enable the SSLv3 protocol and take appropriate mitigation and remediation actions. The most immediate mitigation action that can be taken is disabling SSLv3. You should verify disabling SSLv3 does not cause any compatibility issues.

If your product is deployed on WebSphere Application Server (WAS) and your deployment does not use an Eclipse based client nor the RM Browser plugin, then it is sufficient to continue using the existing version of the your Rational product, and only upgrade the JRE in the WAS server according to these instructions:
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect WebSphere Application Server October 2014 CPU.

Otherwise:
Upgrade your products to version 4.0.7 or 5.0.2 or later, and then perform the following upgrades:

How to update the IBM SDK for Java of IBM Rational products based on version 4.0.6 or later of IBM's Jazz technology

OR:
Note: for any of the below remediations, if you are a WAS deployment, then WAS must also be upgraded, in addition to performing your product upgrades.

  • For the 2.x releases, contact IBM support for additional details on the fix.
  • For the 1.x releases of Rational Engineering Lifecycle Manager, contact IBM support for additional details on the fix.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

Important Note

IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

References

Complete CVSS v2 Guide
On-line Calculator v2

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

* 06 March 2015: Added links to fixes
* 17 February 2015: Original copy published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Internal Use Only

// update the links when ifix 5 is available

[{"Product":{"code":"SSPRJQ","label":"IBM Engineering Lifecycle Management Base"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General Information","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF014","label":"iOS"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"3.0.1;3.0.1.6;4.0;4.0.1;4.0.2;4.0.3;4.0.4;4.0.5;4.0.6;4.0.7;5.0;5.0.1;5.0.2","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Product":{"code":"SSUB2H","label":"IBM Engineering Lifecycle Optimization - Engineering Insights"},"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Component":"General Information","Platform":[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}],"Version":"1.0;1.0.0.1;4.0.3;4.0.4;4.0.5;4.0.6;4.0.7;5.0;5.0.1;5.0.2","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Product":{"code":"SSUVV6","label":"IBM Engineering Test Management"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Team Server","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"2.0;2.0.0.1;2.0.0.2;2.0.1;2.0.1.1;3.0.1;3.0.1.1;3.0.1.2;3.0.1.3;3.0.1.4;3.0.1.5;3.0.1.6;4.0;4.0.0.1;4.0.0.2;4.0.1;4.0.2;4.0.3;4.0.4;4.0.5;4.0.6;4.0.7;5.0;5.0.1;5.0.2","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Product":{"code":"SSUC3U","label":"IBM Engineering Workflow Management"},"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Component":"Team Server","Platform":[{"code":"PF002","label":"AIX"},{"code":"","label":"i5\/OS"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"},{"code":"","label":"Mac OS X"}],"Version":"2.0;2.0.0.1;2.0.0.2;3.0;3.0.1;3.0.1.1;3.0.1.2;3.0.1.3;3.0.1.4;3.0.1.5;3.0.1.6;4.0;4.0.0.1;4.0.0.2;4.0.1;4.0.2;4.0.3;4.0.4;4.0.5;4.0.6;4.0.7;5.0;5.0.1;5.0.2","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Product":{"code":"SSUVLZ","label":"IBM Engineering Requirements Management DOORS Next"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General information","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"},{"code":"PF012","label":"IBM i"}],"Version":"4.0.1;4.0.2;4.0.3;4.0.4;4.0.5;4.0.6;4.0.7;5.0;5.0.1;5.0.2","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Product":{"code":"SSWMEQ","label":"Rational Requirements Composer"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Team Server","Platform":[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"},{"code":"PF035","label":"z\/OS"}],"Version":"2.0;2.0.0.1;2.0.0.2;2.0.0.3;2.0.0.4;3.0.1;3.0.1.1;3.0.1.2;3.0.1.3;3.0.1.4;3.0.1.5;3.0.1.6;4.0;4.0.0.1;4.0.0.2;4.0.1;4.0.2;4.0.3;4.0.4;4.0.5;4.0.6;4.0.7","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Product":{"code":"SSRNEV","label":"Rational Rhapsody Design Manager"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General Information","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"3.0;3.0.0.1;3.0.1;4.0;4.0.1;4.0.2;4.0.3;4.0.4;4.0.5;4.0.6;4.0.7;5.0;5.0.1;5.0.2","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Product":{"code":"SSRMY8","label":"Rational Software Architect Design Manager"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"General Information","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"3.0;3.0.0.1;3.0.1;4.0;4.0.1;4.0.2;4.0.3;4.0.4;4.0.5;4.0.6;4.0.7;5.0;5.0.1;5.0.2","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Product Synonym

Rational DOORS Next Generation;Rational Team Concert;Rational Quality Manager;Rational Engineering Lifecycle Manager;Rational Collaborative Lifecycle Management Solution

Document Information

Modified date:
28 April 2021

UID

swg21693298

Page Feedback