IBM Support

Security Bulletin: Multiple vulnerabilities in Rational Collaborative Lifecycle Management 4.0.1 (CVE-2012-5885, CVE-2012-5886, CVE-2012-5887)

Security Bulletin


Summary

Vulnerabilities have been identified in IBM Rational Team Concert (RTC), IBM Rational Quality Manager (RQM), and IBM Rational Requirements Composer (RRC) versions 4.0 and 4.0.1 and the Rational Collaborative Lifecycle Management Solution (CLM), allowing a remote attacker to bypass access restrictions on the server process.

Vulnerability Details

Subscribe to My Notifications to be notified of important product support alerts like this.
  • Follow this link for more information (requires login with your IBM ID)

CVEID: CVE-2012-5885

Description: Replay-countermeasure functionality in HTTP Digest Access Authentication has a flaw, which makes it easier for attackers to bypass access restrictions.

CVSS Base Score: 5.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/80408 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)


CVEID: CVE-2012-5886

Description: HTTP Digest Access Authentication implementation could potentially allow an attacker to bypass authentication.

CVSS Base Score: 5.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/80407 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)


CVEID: CVE-2012-5887

Description: HTTP Digest Access Authentication implementation has a flaw which allows an
attacker to bypass restrictions.

CVSS Base Score: 5.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/79809 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

Affected Products and Versions

CLM 4.0.1 and earlier
RTC 4.0.1 and earlier
RQM 4.0.1 and earlier
RRC 4.0.1 and earlier

Remediation/Fixes

Apply version 4.0.2 or later to resolve the issue.

Downloads are available from https://jazz.net/downloads

Workarounds and Mitigations

Isolate systems from untrusted network traffic by means of firewalls.

Get Notified about Future Security Bulletins

Important Note

IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

References

Off

Acknowledgement

None

Change History

21 March 2013: Original Copy Published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{"Product":{"code":"SSPRJQ","label":"IBM Engineering Lifecycle Management Base"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General Information","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"4.0.1","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}},{"Product":{"code":"SSUVV6","label":"IBM Engineering Test Management"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General Information","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"4.0;4.0.0.1;4.0.0.2;4.0.1","Edition":"Standard;Express","Line of Business":{"code":"LOB02","label":"AI Applications"}},{"Product":{"code":"SSUC3U","label":"IBM Engineering Workflow Management"},"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Component":"General Information","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"4.0;4.0.0.1;4.0.0.2;4.0.1","Edition":"Standard;Express-C;Express;Enterprise","Line of Business":{"code":"LOB02","label":"AI Applications"}},{"Product":{"code":"SSWMEQ","label":"Rational Requirements Composer"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General Information","Platform":[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}],"Version":"4.0;4.0.0.1;4.0.0.2;4.0.1","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}}]

Product Synonym

Rational Team Concert;Rational Quality Manager;Rational Collaborative Lifecycle Management Solution

Document Information

Modified date:
28 April 2021

UID

swg21626891