ESB-2017.1665 - [Win][Linux][Solaris][AIX][Mac] IBM's Jazz technology: Multiple vulnerabilities 2017-07-03

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.1665
Security Bulletin: Security vulnerabilities based on IBM's Jazz technology
                                3 July 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM's Jazz technology
Publisher:         IBM
Operating System:  AIX
                   Linux variants
                   Solaris
                   Windows
                   Mac OS
Impact/Access:     Denial of Service              -- Remote/Unauthenticated
                   Access Confidential Data       -- Remote/Unauthenticated
                   Modify Arbitrary Files         -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-6056 CVE-2017-5664 CVE-2017-5648
                   CVE-2017-5647 CVE-2016-9700 CVE-2016-8745

Reference:         ESB-2017.1631
                   ESB-2017.1595
                   ESB-2017.1579
                   ESB-2017.1578

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=swg21999760
   http://www.ibm.com/support/docview.wss?uid=swg22005435

Comment: This bulletin contains two (2) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Security vulnerabilities in Apache Tomcat affect multiple 
IBM Rational products based on IBM's Jazz technology

Security Bulletin

Document information

More support for: Rational Collaborative Lifecycle Management

General Information

Software version: 4.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 5.0, 
5.0.1, 5.0.2, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4

Operating system(s): AIX, Linux, Solaris, Windows, iOS

Reference #: 1999760

Modified date: 30 June 2017

Summary

The Jazz Team Server is shipped with/or supports versions of the Apache Tomcat
web server which contain security vulnerabilities that could potentially 
impact the following IBM Rational products deployed on Apache Tomcat: 
Collaborative Lifecycle Management (CLM), Rational DOORS Next Generation 
(RDNG), Rational Engineering Lifecycle Manager (RELM), Rational Team Concert 
(RTC), Rational Quality Manager (RQM), Rational Rhapsody Design Manager 
(Rhapsody DM), and Rational Software Architect Design Manager (RSA DM).

Vulnerability Details

CVEID: CVE-2017-6056

DESCRIPTION: Apache Tomcat is vulnerable to a denial of service, caused by a 
programming error in the servlet and JSP engine. A remote attacker could 
exploit this vulnerability to cause the server to enter into an infinite loop.

CVSS Base Score: 7.5

CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/122312 for the current 
score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2016-8745

DESCRIPTION: Apache Tomcat could allow a remote attacker to obtain sensitive 
information, caused by the improper handling of the send file code for the NIO
HTTP connector when the Connector code for Tomcat 8.5.x is refactored. An 
attacker could exploit this vulnerability to obtain the session ID and the 
response body.

CVSS Base Score: 5.3

CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/119642 for the current 
score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2017-5647

DESCRIPTION: Apache Tomcat could allow a remote attacker to obtain sensitive 
information, caused by an error in the processing of pipelined requests in 
send file. An attacker could exploit this vulnerability to obtain sensitive 
information from the wrong response.

CVSS Base Score: 5.3

CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/124400 for the current 
score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2017-5648

DESCRIPTION: Apache Tomcat could allow a remote attacker to bypass security 
restrictions, caused by the failure to use the appropriate facade object by 
certain application listener calls. An attacker could exploit this 
vulnerability to access and modify data on the system.

CVSS Base Score: 5.3

CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/124399 for the current 
score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2017-5664

DESCRIPTION: Apache Tomcat could allow a remote attacker to bypass security 
restrictions, caused by the improper handling of specific HTTP request methods
for static error pages by the Default Servlet error page mechanism. By sending
a specially crafted GET request, an attacker could exploit this vulnerability
to bypass HTTP method restrictions and cause the deletion or replacement of 
the target error page.

CVSS Base Score: 6.5

CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/126962 for the current 
score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)

Affected Products and Versions

Rational Collaborative Lifecycle Management 3.0.1 - 6.0.4

Rational Quality Manager 4.0 - 4.0.7

Rational Quality Manager 5.0 - 5.0.2

Rational Quality Manager 6.0 - 6.0.4

Rational Team Concert 4.0 - 4.0.7

Rational Team Concert 5.0 - 5.0.2

Rational Team Concert 6.0 - 6.0.4

Rational DOORS Next Generation 4.0 - 4.0.7

Rational DOORS Next Generation 5.0 - 5.0.2

Rational DOORS Next Generation 6.0 - 6.0.4

Rational Engineering Lifecycle Manager 4.0.3 - 4.0.7

Rational Engineering Lifecycle Manager 5.0 - 5.0.2

Rational Engineering Lifecycle Manager 6.0 - 6.0.4

Rational Rhapsody Design Manager 4.0 - 4.0.7

Rational Rhapsody Design Manager 5.0 - 5.0.2

Rational Rhapsody Design Manager 6.0 - 6.0.4

Rational Software Architect Design Manager 4.0 - 4.0.7

Rational Software Architect Design Manager 5.0 - 5.0.2

Rational Software Architect Design Manager 6.0 - 6.0.1

Remediation/Fixes

Step 1.

Apply the lates ifix to your installed product version:

For the 6.0 - 6.0.3 releases, upgrade to version 6.0.3 iFix5 or later

Rational Collaborative Lifecycle Management 6.0.3 iFix5

Rational Team Concert 6.0.3 iFix5

Rational Quality Manager 6.0.3 iFix5

Rational DOORS Next Generation 6.0.3 iFix5

Rational Software Architect Design Manager: Upgrade to version 6.0.3 and 
install server from CLM 6.0.3 iFix5

Rational Rhapsody Design Manager: Upgrade to version 6.0.3 and install server
from CLM 6.0.3 iFix5

Rational Engineering Lifecycle Manager: Upgrade to version 6.0.3 and install 
server from CLM 6.0.3 iFix5

For the 6.0 - 6.0.2 releases, upgrade to version 6.0.2 iFix11 or later

Rational Collaborative Lifecycle Management 6.0.2 iFix11

Rational Team Concert 6.0.2 iFix11

Rational Quality Manager 6.0.2 iFix11

Rational DOORS Next Generation 6.0.2 iFix11

Rational Software Architect Design Manager: Upgrade to version 6.0.2 and 
install server from CLM 6.0.2 iFix11

Rational Rhapsody Design Manager: Upgrade to version 6.0.2 and install server
from CLM 6.0.2 iFix11

Rational Engineering Lifecycle Manager: Upgrade to version 6.0.2 and install 
server from CLM 6.0.2 iFix11

For the 5.x releases, upgrade to version 5.0.2 iFix22 or later

Rational Collaborative Lifecycle Management 5.0.2 iFix22

Rational Team Concert 5.0.2 iFix22

Rational Quality Manager 5.0.2 iFix22

Rational DOORS Next Generation 5.0.2 iFix22

Rational Software Architect Design Manager: Upgrade to version 5.0.2 and 
install server from CLM 5.0.2 iFix22

Rational Rhapsody Design Manager: Upgrade to version 5.0.2 and install server
from CLM 5.0.2 iFix22

Rational Engineering Lifecycle Manager: Upgrade to version 5.0.2 and install 
server from CLM 5.0.2 iFix22

For the 4.x releases, upgrade to version 4.0.7 iFix14 or later

Rational Collaborative Lifecycle Management 4.0.7 iFix14

Rational Team Concert 4.0.7 iFix14

Rational Quality Manager 4.0.7 iFix14

Rational DOORS Next Generation/Requirements Composer 4.0.7 iFix14

Rational Software Architect Design Manager: Upgrade to version 4.0.7 and 
install server from CLM 4.0.7 iFix14

Rational Rhapsody Design Manager: Upgrade to version 4.0.7 and install server
from CLM 4.0.7 iFix14

Rational Engineering Lifecycle Manager: Upgrade to version 4.0.7 and install 
server from CLM 4.0.7 iFix14

Step 2:

Upgrade your Apache Tomcat to version 7.0.78 or later. Perform How to update 
the Apache Tomcat server for IBM Rational products based on versions 3.0.1.6,
4.0.7 or later of IBM's Jazz technology to apply the remediation.

For any prior versions of the products listed above, IBM recommends upgrading
to a fixed, supported version/release/platform of the product.

If the iFix is not found in the Fix Portal please contact IBM Support.

Workarounds and Mitigations

None

Important note

IBM strongly suggests that all System z customers be subscribed to the System
z Security Portal to receive the latest critical System z security and 
integrity service. If you are not subscribed, see the instructions on the 
System z Security web site. Security and integrity APARs and associated fixes
will be posted to this portal. IBM suggests reviewing the CVSS scores and 
applying all security or integrity fixes as soon as possible to minimize any 
potential risk.

References

Complete CVSS v3 Guide

On-line Calculator v3

Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

Change History

30 June 2017: Initial Publication

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the 
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the 
Common Vulnerability Scoring System (CVSS) is an "industry open standard 
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY 
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT 
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

=============================================================================

Security Bulletin: Potential information disclosure vulnerability in IBM Jazz
Team Server affects IBM Rational products based on IBM Jazz technology

Security Bulletin

Document information

More support for: Rational Collaborative Lifecycle Management

General Information

Software version: 4.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 5.0, 
5.0.1, 5.0.2, 6.0, 6.0.1, 6.0.2, 6.0.3

Operating system(s): AIX, Linux, Solaris, Windows, iOS

Reference #: 2005435

Modified date: 30 June 2017

Summary

Potential information disclosure vulnerability in the IBM Jazz Team Server 
affecting the following IBM Rational Products: Collaborative Lifecycle 
Management (CLM), Rational DOORS Next Generation (RDNG), Rational Engineering
Lifecycle Manager (RELM), Rational Team Concert (RTC), Rational Quality 
Manager (RQM), Rational Rhapsody Design Manager (Rhapsody DM), and Rational 
Software Architect (RSA DM).

Vulnerability Details

CVEID: CVE-2016-9700

DESCRIPTION: IBM Jazz Foundation could allow an authenciated attacker to 
obtain sensitive information from error message stack traces.

CVSS Base Score: 4.3

CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/119528 for the current 
score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Rational Collaborative Lifecycle Management 4.0 - 6.0.3

Rational Quality Manager 4.0 - 4.0.7

Rational Quality Manager 5.0 - 5.0.2

Rational Quality Manager 6.0 - 6.0.3

Rational Team Concert 4.0 - 4.0.7

Rational Team Concert 5.0 - 5.0.2

Rational Team Concert 6.0 - 6.0.3

Rational DOORS Next Generation 4.0.1 - 4.0.7

Rational DOORS Next Generation 5.0 - 5.0.2

Rational DOORS Next Generation 6.0 - 6.0.3

Rational Engineering Lifecycle Manager 4.0.3 - 4.0.7

Rational Engineering Lifecycle Manager 5.0 - 5.0.2

Rational Engineering Lifecycle Manager 6.0 - 6.0.3

Rational Rhapsody Design Manager 4.0 - 4.0.7

Rational Rhapsody Design Manager 5.0 - 5.0.2

Rational Rhapsody Design Manager 6.0 - 6.0.3

Rational Software Architect Design Manager 4.0 - 4.0.7

Rational Software Architect Design Manager 5.0 - 5.0.2

Rational Software Architect Design Manager 6.0 - 6.0.1

Remediation/Fixes

For the 6.0 - 6.0.3 releases, upgrade to version 6.0.3 iFix5 or later

Rational Collaborative Lifecycle Management 6.0.3 iFix5

Rational Team Concert 6.0.3 iFix5

Rational Quality Manager 6.0.3 iFix5

Rational DOORS Next Generation 6.0.3 iFix5

Rational Software Architect Design Manager: Upgrade to version 6.0.3 and 
install server from CLM 6.0.3 iFix5

Rational Rhapsody Design Manager: Upgrade to version 6.0.3 and install server
from CLM 6.0.3 iFix5

Rational Engineering Lifecycle Manager: Upgrade to version 6.0.3 and install 
server from CLM 6.0.3 iFix5

For the 6.0 - 6.0.2 releases, upgrade to version 6.0.2 iFix11 or later

Rational Collaborative Lifecycle Management 6.0.2 iFix11

Rational Team Concert 6.0.2 iFix11

Rational Quality Manager 6.0.2 iFix11

Rational DOORS Next Generation 6.0.2 iFix11

Rational Software Architect Design Manager: Upgrade to version 6.0.2 and 
install server from CLM 6.0.2 iFix11

Rational Rhapsody Design Manager: Upgrade to version 6.0.2 and install server
from CLM 6.0.2 iFix11

Rational Engineering Lifecycle Manager: Upgrade to version 6.0.2 and install 
server from CLM 6.0.2 iFix11

For the 5.x releases, upgrade to version 5.0.2 iFix22 or later

Rational Collaborative Lifecycle Management 5.0.2 iFix22

Rational Team Concert 5.0.2 iFix22

Rational Quality Manager 5.0.2 iFix22

Rational DOORS Next Generation 5.0.2 iFix22

Rational Software Architect Design Manager: Upgrade to version 5.0.2 and 
install server from CLM 5.0.2 iFix22

Rational Rhapsody Design Manager: Upgrade to version 5.0.2 and install server
from CLM 5.0.2 iFix22

Rational Engineering Lifecycle Manager: Upgrade to version 5.0.2 and install 
server from CLM 5.0.2 iFix22

For the 4.x releases, upgrade to version 4.0.7 iFix14 or later

Rational Collaborative Lifecycle Management 4.0.7 iFix14

Rational Team Concert 4.0.7 iFix14

Rational Quality Manager 4.0.7 iFix14

Rational DOORS Next Generation/Requirements Composer 4.0.7 iFix14

Rational Software Architect Design Manager: Upgrade to version 4.0.7 and 
install server from CLM 4.0.7 iFix14

Rational Rhapsody Design Manager: Upgrade to version 4.0.7 and install server
from CLM 4.0.7 iFix14

Rational Engineering Lifecycle Manager: Upgrade to version 4.0.7 and install 
server from CLM 4.0.7 iFix14

For any prior versions of the products listed above, IBM recommends upgrading
to a fixed, supported version/release/platform of the product.

If the iFix is not found in the Fix Portal please contact IBM Support.

Workarounds and Mitigations

None

Important note

IBM strongly suggests that all System z customers be subscribed to the System
z Security Portal to receive the latest critical System z security and 
integrity service. If you are not subscribed, see the instructions on the 
System z Security web site. Security and integrity APARs and associated fixes
will be posted to this portal. IBM suggests reviewing the CVSS scores and 
applying all security or integrity fixes as soon as possible to minimize any 
potential risk.

References

Complete CVSS v3 Guide

On-line Calculator v3

Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

Change History

30 June 2017: Initial Publication

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the 
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the 
Common Vulnerability Scoring System (CVSS) is an "industry open standard 
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY 
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT 
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWVmqkYx+lLeg9Ub1AQiE6w//djdZCA4otvfaman/gpp0cNUITsdZcI5Z
7Vf7OJ+qEqeqQtOHmtPBTPgASGWx3COKuy163g/flqkIhrC0mlycnelCwzntgb0X
McRxnkmIgKJ1/Q0DlODyCCMlkeGBz64jqU+4owU6Svwo7LHicFHpIvgbU2wjsFG7
bQUfrtgYbdTYqnx3M4MjCf5XyqQwZFqgxNNBt752J8B+JsZuKtejp5LawzlnygdD
jyOaNF/u9XkfPx3/uldMag2fgng2ND/gIlijChNi55MuP9dxD0X1Jbplj6Cmmqb0
evpUjyCKrzUYQqJwInCpflKXsleecz1+1UKo1slRwkIu6SH/JVxc2TiF4OMhItvo
PiCLYQxYBplUvAuMmhfV3Ga3fI24CHpm+xB/lM0pKpO0oNrTnc8d6QzZwYAwk4EA
B6/S+eyPo4sE+2t7jva/9Myf5j3jPPT2wn4mhBvpmSd1rXb1tgGtlQPeFwOSz706
IerK2w5MWuBLxV0jkzvvVRdhESWaAiYA2I6YcDwTvzkTh6tEskwdb2AzluMQzR1Y
lo8Rbk8761Dtr8t3MrJsG0z1V4Ht1wppe5/M0dEJnnfousRr//MsGRp5IWmtz1hM
nBswoJUuz1I9VxnWpeZSOZUKfksEm6lyyLcfVlnPpeep+EPBwXfsT5Qz5xiuXdDD
tfcHUMkpAOc=
=Di01
-----END PGP SIGNATURE-----

« Back to bulletins