ESB-2018.3692 - [Win][UNIX/Linux] IBM Rational products: Multiple vulnerabilities 2018-11-28

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.3692
           Multiple vulnerabilities affect multiple IBM Rational
                   products based on IBM Jazz technology
                             28 November 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Rational products
Publisher:         IBM
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Create Arbitrary Files   -- Remote with User Interaction
                   Denial of Service        -- Remote/Unauthenticated      
                   Cross-site Scripting     -- Existing Account            
                   Access Confidential Data -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1905 CVE-2018-1797 CVE-2018-1777
                   CVE-2018-1767 CVE-2018-1762 

Reference:         ESB-2018.3619
                   ESB-2018.3577
                   ESB-2018.3214
                   ESB-2018.3114.2
                   ESB-2018.0660.9

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=ibm10742281
   http://www.ibm.com/support/docview.wss?uid=ibm10742251

Comment: This bulletin contains two (2) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Cross-site scripting vulnerability affects multiple IBM
Rational products based on IBM Jazz technology

Security Bulletin

Document information

More support for: Rational Collaborative Lifecycle Management

Software version: 5.0, 5.0.1, 5.0.2, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5,
6.0.6

Operating system(s): Platform Independent

Reference #: 0742281

Modified date: 27 November 2018

Summary

Cross-site scripting vulnerability affects components used by the following
products that may affect those products: Collaborative Lifecycle Management
(CLM), Rational DOORS Next Generation (RDNG), Rational Engineering Lifecycle
Manager (RELM), Rational Team Concert (RTC), Rational Quality Manager (RQM),
Rational Rhapsody Design Manager (Rhapsody DM) and Rational Software Architect
Design Manager (RSA DM).

Vulnerability Details

CVEID: CVE-2018-1762
DESCRIPTION: IBM Jazz Foundation is vulnerable to cross-site scripting. This
vulnerability allows users to embed arbitrary JavaScript code in the Web UI
thus altering the intended functionality potentially leading to credentials
disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
148616 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Rational Collaborative Lifecycle Management 5.0 - 6.0.6

Rational Quality Manager 5.0 - 5.0.2
Rational Quality Manager 6.0 - 6.0.6

Rational Team Concert 5.0 - 5.0.2
Rational Team Concert 6.0 - 6.0.6

Rational DOORS Next Generation 5.0 - 5.0.2
Rational DOORS Next Generation 6.0 - 6.0.6

Rational Engineering Lifecycle Manager 5.0 - 5.0.2
Rational Engineering Lifecycle Manager 6.0 - 6.0.6

Rational Rhapsody Design Manager 5.0 - 5.0.2
Rational Rhapsody Design Manager 6.0 - 6.0.6

Rational Software Architect Design Manager 5.0 - 5.0.2
Rational Software Architect Design Manager 6.0 - 6.0.1

Remediation/Fixes

For the 6.0 - 6.0.6 releases:

  o Upgrade to version 6.0.6 iFix003 or later
      - Rational Collaborative Lifecycle Management 6.0.6 iFix003
      - Rational DOORS Next Generation 6.0.6 iFix003
      - Rational Quality Manager 6.0.6 iFix003
      - Rational Team Concert 6.0.6 iFix003
      - Rational Engineering Lifecycle Manager: Upgrade to version 6.0.5 and
        install server from CLM 6.0.6 iFix003
      - Rational Rhapsody Design Manager: Upgrade to version 6.0.5 and install
        server from CLM 6.0.6 iFix003
      - Rational Software Architect Design Manager: Upgrade to version 6.0.5
        and install server from CLM 6.0.6 iFix003

  o Or upgrade to version 6.0.2 iFix019 or later (Planned publication date
    within 30 days)
      - Rational Collaborative Lifecycle Management 6.0.2 iFix019
      - Rational Team Concert 6.0.2 iFix019
      - Rational Quality Manager 6.0.2 iFix019
      - Rational DOORS Next Generation 6.0.2 iFix019
      - Rational Software Architect Design Manager: Upgrade to version 6.0.2
        and install server from CLM 6.0.2 iFix019
      - Rational Rhapsody Design Manager: Upgrade to version 6.0.2 and install
        server from CLM 6.0.2 iFix019
      - Rational Engineering Lifecycle Manager: Upgrade to version 6.0.2 and
        install server from CLM 6.0.2 iFix019

For the 5.x releases, upgrade to version 5.0.2 iFix27 or later

  o Rational Collaborative Lifecycle Management 5.0.2 iFix027
  o Rational Team Concert 5.0.2 iFix027
  o Rational Quality Manager 5.0.2 iFix027
  o Rational DOORS Next Generation 5.0.2 iFix027
  o Rational Software Architect Design Manager: Upgrade to version 5.0.2 and
    install server from CLM 5.0.2 iFix027
  o Rational Rhapsody Design Manager: Upgrade to version 5.0.2 and install
    server from CLM 5.0.2 iFix027
  o Rational Engineering Lifecycle Manager: Upgrade to version 5.0.2 and
    install server from CLM 5.0.2 iFix027


For any prior versions of the products listed above, IBM recommends upgrading
to a fixed, supported version/release/platform of the product.

If the iFix is not found in the Fix Portal please contact IBM Support.

Workarounds and Mitigations

None

Important Note

IBM strongly suggests that all System z customers be subscribed to the System z
Security Portal to receive the latest critical System z security and integrity
service. If you are not subscribed, see the instructions on the System z
Security web site. Security and integrity APARs and associated fixes will be
posted to this portal. IBM suggests reviewing the CVSS scores and applying all
security or integrity fixes as soon as possible to minimize any potential risk.

Change History

27 November 2018: Initial publication

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: Multiple vulnerabilities in WebSphere Application Server
affect IBM Rational products based on IBM Jazz technology

PSIRT; security

Security Bulletin

Document information

More support for: Rational Collaborative Lifecycle Management

Software version: 5.0.x, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6

Operating system(s): Platform Independent

Reference #: 0742251

Modified date: 27 November 2018

Summary

Multiple vulnerabilities in WebSphere Application Server bundled with IBM Jazz
Team Server based Applications affect the following products: Collaborative
Lifecycle Management (CLM), Rational DOORS Next Generation (RDNG), Rational
Engineering Lifecycle Manager (RELM), Rational Team Concert (RTC), Rational
Quality Manager (RQM), Rational Rhapsody Design Manager (Rhapsody DM) and
Rational Software Architect Design Manager (RSA DM).

Vulnerability Details

CVEID: CVE-2018-1767
DESCRIPTION: IBM WebSphere Application Server CacheMonitor is vulnerable to
cross-site scripting. This vulnerability allows users to embed arbitrary
JavaScript code in the Web UI thus altering the intended functionality
potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
148621 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2018-1777
DESCRIPTION: IBM WebSphere Application Server Admin Console is vulnerable to
cross-site scripting. This vulnerability allows users to embed arbitrary
JavaScript code in the Web UI thus altering the intended functionality
potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
148800 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2018-1905
DESCRIPTION: IBM WebSphere Application Server is vulnerable to a XML External
Entity Injection (XXE) attack when processing XML data. A remote attacker could
exploit this vulnerability to expose sensitive information or consume memory
resources.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
152534 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)

CVEID: CVE-2018-1797
DESCRIPTION: IBM WebSphere Application Server using Enterprise bundle Archives
(EBA) could allow a local attacker to traverse directories on the system. By
persuading a victim to extract a specially-crafted ZIP archive containing "dot
dot slash" sequences (../), an attacker could exploit this vulnerability to
write to arbitrary files on the system. Note: This vulnerability is known as
"Zip-Slip".
CVSS Base Score: 6.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
149427 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)

Affected Products and Versions

Rational Collaborative Lifecycle Management 5.0 - 6.0.6

Rational Quality Manager 5.0 - 5.0.2
Rational Quality Manager 6.0 - 6.0.6

Rational Team Concert 5.0 - 5.0.2
Rational Team Concert 6.0 - 6.0.6

Rational DOORS Next Generation 5.0 - 5.0.2
Rational DOORS Next Generation 6.0 - 6.0.6

Rational Engineering Lifecycle Manager 5.0 - 5.0.2
Rational Engineering Lifecycle Manager 6.0 - 6.0.6

Rational Rhapsody Design Manager 5.0 - 5.0.2
Rational Rhapsody Design Manager 6.0 - 6.0.6

Rational Software Architect Design Manager 5.0 - 5.0.2
Rational Software Architect Design Manager 6.0 - 6.0.1

Remediation/Fixes

The IBM Jazz Team Server based Applications bundle different versions of IBM
WebSphere Application Server with the available versions of the products, and
in addition to the bundled version some previous versions of WAS are also
supported. For a remediation follow the WAS security bulletin appropriately.

For vulnerability details/affected versions/Remediation and fixes, review the
Security Bulletins:

Security Bulletin: Potential cross-site scripting vulnerability in the
WebSphere Application Server Admin Console (CVE-2018-1777)

Security Bulletin: Cross-site scripting vulnerability in CacheMonitor for
WebSphere Application Server (CVE-2018-1767)

Security Bulletin: Potential XML External Entity (XXE) Injection Vulnerability
in WebSphere Application Server (CVE-2018-1905)

Security Bulletin: Potential directory traversal vulnerability in WebSphere
Application Server (CVE-2018-1797)

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

Important Note

IBM strongly suggests that all System z customers be subscribed to the System z
Security Portal to receive the latest critical System z security and integrity
service. If you are not subscribed, see the instructions on the System z
Security web site. Security and integrity APARs and associated fixes will be
posted to this portal. IBM suggests reviewing the CVSS scores and applying all
security or integrity fixes as soon as possible to minimize any potential risk.

Reference

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

The vulnerability for CVE-2018-1777 and CVE-2018-1905 were reported to IBM by
Benoit Cote-Jodoin from GoSecure
The vulnerability for CVE-2018-1767 was reported to IBM by vah13

Change History

27 November 2018: Initial publication

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


                          Cross reference information
       Product         Component  Platform            Version           Edition
Rational Team Concert            Platform    5.0.x, 6.0, 6.0.1, 6.0.2,
                                 Independent 6.0.3, 6.0.4, 6.0.5, 6.0.6
   Rational Quality              Platform    5.0.x, 6.0, 6.0.1, 6.0.2,
       Manager                   Independent 6.0.3, 6.0.4, 6.0.5, 6.0.6
 Rational DOORS Next             Platform    5.0.x, 6.0, 6.0.1, 6.0.2,
      Generation                 Independent 6.0.3, 6.0.4, 6.0.5, 6.0.6
 Rational Engineering            Platform    5.0.x, 6.0, 6.0.1, 6.0.2,
  Lifecycle Manager              Independent 6.0.3, 6.0.4, 6.0.5, 6.0.6
  Rational Rhapsody              Platform    5.0.x, 6.0, 6.0.1, 6.0.2,
    Design Manager               Independent 6.0.3, 6.0.4, 6.0.5, 6.0.6
  Rational Software              Platform
   Architect Design              Independent 5.0.x, 6.0, 6.0.1
       Manager

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW/4bvWaOgq3Tt24GAQg/JRAApbFCSxLC3IX3N+VZIGy9ZL2A7fJnC2Ej
VOCMwQJHsDcNIa+Ip47L5O5KM3YsSkSY0y1D9D17ekXmq88dM7jLWUJkQnPmXxF5
HRspbKQAhCGGQ5Yq6anqc9OiqxdvEFOKjs3bqVw24LwuR4jEhmG9OWufGHqGmT9N
9+pb4AvrtDOOu8HNDAEe5iQNSja+Bff4s26uxqhgMvA2cEQz1iVUbmkMHHREhlhZ
VwfUSiHUbKFw1oKEO7eieOEt1SP3jyTteEX2DaB8pLkzLMCb8WjWPYzlDVatChrO
WTC4dwsElQje+UFRiKRcwD+6lccU1wJqbIxqvYoPmGTnwJrvB96EogGPjuuQVIRl
bwO67oALW6qP+8wVb8J9DC7KAyz6jf+arFIuYGMvt/jTqn1kS34rYG72qPlyb1pg
U2ioBLhlfU9z9BN4sEuKhJDkcUIAKJPeN9wUnSPfLNYOJ2rJcqlsFvMhHjUOcu4w
mCpwFNDqA3+xNom79am3KBJ2mY6n8SLz7lwki/Qu+euj7zIRBGuhy0qwm67Ut2Bl
/yFKFsO5IxFk6goQPB/AMIUd0WzmiE1h8QdJIHetYk5BIy2QhJ6DHQ9cuuOAcQek
klTpU7M883gpAB9+a9V2uOyRXnuV3bRXD8OXEMnTRH6GVLgYyaleX8idIDspW8qg
/LQ4gVN4ekw=
=Y0zd
-----END PGP SIGNATURE-----

« Back to bulletins