ESB-2018.1557 - [Win][Linux][Solaris][AIX] IBM ClearQuest: Multiple vulnerabilities 2018-05-23

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1557
 Security Bulletin: Multiple security vulnerabilities have been identified
           in GSKit shipped with IBM ClearQuest (CVE-2016-0702,
               CVE-2018-1447, CVE-2018-1427, CVE-2016-0705)
                                23 May 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM ClearQuest
Publisher:         IBM
Operating System:  AIX
                   Linux variants
                   Solaris
                   Windows
Impact/Access:     Access Privileged Data -- Existing Account      
                   Denial of Service      -- Remote/Unauthenticated
                   Reduced Security       -- Existing Account      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1447 CVE-2018-1427 CVE-2016-0705
                   CVE-2016-0702  

Reference:         ASB-2017.0219
                   ESB-2018.1498
                   ESB-2018.1310
                   ESB-2018.1050

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=swg22015400

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Multiple security vulnerabilities have been identified in
GSKit shipped with IBM ClearQuest (CVE-2016-0702, CVE-2018-1447,
CVE-2018-1427, CVE-2016-0705)

CVE-2016-0702; CVE-2018-1447; CVE-2018-1427; CVE-2016-0705

Document information

More support for: Rational ClearQuest

Software version: 8.0, 8.0.0.1, 8.0.0.2, 8.0.0.3, 8.0.0.4, 8.0.0.5, 8.0.0.6,
8.0.0.7, 8.0.0.8, 8.0.0.9, 8.0.0.10, 8.0.0.11, 8.0.0.12, 8.0.0.13, 8.0.0.14,
8.0.0.15, 8.0.0.16, 8.0.0.17, 8.0.0.18, 8.0.0.19, 8.0.0.20, 8.0.0.21, 8.0.1,
8.0.1.1, 8.0.1.2, 8.0.1.3, 8.0.1.4, 8.0.1.5, 8.0.1.6, 8.0.1.7, 8.0.1.8,
8.0.1.9, 8.0.1.10, 8.0.1.11, 8.0.1.12, 8.0.1.13, 8.0.1.14, 8.0.1.15, 8.0.1.16,
9.0, 9.0.0.1, 9.0.0.2, 9.0.0.3, 9.0.0.4, 9.0.0.5, 9.0.0.6, 9.0.1, 9.0.1.1,
9.0.1.2

Operating system(s): AIX, Linux, Solaris, Windows

Reference #: 2015400

Modified date: 21 May 2018

Summary

Vulnerabilities have been addressed in the GSKit component of IBM Rational
ClearQuest.

Vulnerability Details

CVEID: CVE-2016-0702
DESCRIPTION: OpenSSL could allow a local attacker to obtain sensitive
information, caused by a side-channel attack against a system based on the
Intel Sandy-Bridge microarchitecture. An attacker could exploit this
vulnerability to recover RSA keys.
CVSS Base Score: 2.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
111144 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2018-1447
DESCRIPTION: The GSKit CMS KDB logic fails to salt the hash function resulting
in weaker than expected protection of passwords. A weak password may be
recovered. Note: After update the customer should change password to ensure
the new password is stored more securely. Products should encourage customers
to take this step as a high priority action.
CVSS Base Score: 5.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
139972 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2018-1427
DESCRIPTION:IBM GSKit contains several environment variables that a local
attacker could overflow and cause a denial of service.
CVSS Base Score: 6.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
139072 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2016-0705
DESCRIPTION:OpenSSL is vulnerable to a denial of service, caused by a
double-free error when parsing DSA private keys. An attacker could exploit
this vulnerability to corrupt memory and cause a denial of service.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
111140 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

+--------------------------------------+-------------------------------------+
|          ClearQuest version          |               Status                |
+--------------------------------------+-------------------------------------+
|         8.0 through 8.0.0.21         |              Affected               |
|        8.0.1 through 8.0.1.16        |                                     |
|         9.0 through 9.0.0.6          |                                     |
|        9.0.1 through 9.0.1.2         |                                     |
+--------------------------------------+-------------------------------------+

+--------------------------------------+-------------------------------------+
|     ClearQuest CM Server release     |               Status                |
+--------------------------------------+-------------------------------------+
|         8.0 through 8.0.0.21         |              Affected               |
|        8.0.1 through 8.0.1.16        |                                     |
|         9.0 through 9.0.0.6          |                                     |
|        9.0.1 through 9.0.1.2         |                                     |
+--------------------------------------+-------------------------------------+

ClearQuest CM Server:
All platforms of the indicated releases.

You are vulnerable if you configure Rational ClearQuest to use LDAP
authentication with secure sockets connections.

Remediation/Fixes

Note: After applying the fixes as noted below, please refer to this document
http://publib.boulder.ibm.com/httpserv/ihsdiag/restash.html for information
concerning password re-stashing. It is advised that you re-stash your password
due to CVE-2018-1447 after you apply the fixes.

The solution is to upgrade to a newer fix pack or release of ClearQuest, and
to apply fixes for IBM HTTP Server (IHS).

+--------------------+-------------------------------------------------------+
| Affected Versions  |                         Fixes                         |
+--------------------+-------------------------------------------------------+
|   9.0.1 through    |Install Rational ClearQuest Fix Pack 3 (9.0.1.3) for   |
|      9.0.1.2       |9.0.1                                                  |
|9.0 through 9.0.0.6 |                                                       |
+--------------------+-------------------------------------------------------+
|   8.0.1 through    |Install Rational ClearQuest Fix Pack 17 (8.0.1.17) for |
|      8.0.1.16      |8.0.1                                                  |
|8.0 through 8.0.0.21|                                                       |
+--------------------+-------------------------------------------------------+

ClearQuest CM Server:
Apply an IHS fix for the issue:

 1. Determine the IHS version used by your ClearQuest CM server. Navigate to
    the IBM HTTP Server installation directory (typically /opt/ibm/HTTPServer
    or C:\Program Files (x86)\IBM\HTTPServer), then execute the script: bin/
    versionInfo.sh (UNIX) or bin\versionInfo.bat (Windows). The output
    includes a section "IBM HTTP Server for WebSphere Application Server".
    Make note of the version listed in this section.
 2. Review the following IHS security bulletin for the available fixes:
    Security Bulletin: Multiple vulnerabilities GSKit bundled with IBM HTTP
    Server. Note: there may be newer security fixes for IBM HTTP Server.
    Follow the link above (in the section "Get Notified about Future Security
    Bulletins") to subscribe to WebSphere product support alerts for
    additional security fixes.
 3. Apply the relevant fixes to your IBM HTTP Server installation used on your
    ClearQuest CM server host. No ClearQuest-specific steps are necessary

For 7.0, 7.1, 8.0, and earlier releases, IBM recommends upgrading to a fixed,
supported version/release/platform of the product.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

30 April 2018: Original version published
21 May 2018: Updated Affected Products and Remediation/Fixes for an IHS fix
and password re-stashing due to CVE-2018-1447

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWwS6fIx+lLeg9Ub1AQhuaQ/+P3/kGwG7vYkomERkEK0/rx3WpmGo5IXC
7O71ktNaHAmp++DKnEIy1sSY55dcxYN3lP9C/+EqPVYMt/bjhefpqPWQzqw6rzWj
dHp7c3Tlix2F2KoDqkvBZzczFBQloffgC6Tq3ztm6zqumcWrPIzwFbXBUf6wtFZi
iJsjXadT5ya3TkYewP6jbvuZe4lw+62RJ7SZkCAdKo1TWx2ZUbFttQAZblLI8bcD
xTvQ+mCmb6jN4HEpWTGw2APpGivSVeQJLldX2PgI4phZZsTF2ezLdOKDtg8T542Q
aXzUg1vxq8V4trtiKwjs70HWNaug0sglkSyi6acBGGdrR/HclRoPDeYpQvnZfpPt
iUxlDbQmh86AyIU2OS/tPcwI7Or5SLUQ2T6DlZ1MRdH/HIlKvD6xUfMbGud+DebJ
shkgCu/TYFQCzPTxmzVb7X6UMNLWUjxS5XWkQ8lFiPg6THaFrflEMpwByU0YITU/
ZVpcMygdZtI5ccLYQd06986+Q82jz9c5D12feFNUuOxIKrN31aF+1uTwmgPTr8cc
PUYfjevUVTqDKwIsiqp674ZBxcLcSJRqAKVUgEDN/VOcbwr50RqFt7/Q76mEzYYr
19tdMzxaVQKeOXhVLsds0Ny98p1jBFnA0geLHGaDTWSn0rfkvH5w96FHIrKjw0qT
MnC/J8UaleU=
=Tv5w
-----END PGP SIGNATURE-----

« Back to bulletins