Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.2504.3 Security Bulletin: TLS padding vulnerability affects IBM Rational ClearCase (CVE-2014-8730) and Security Bulletin: TLS padding vulnerability affects IBM Rational ClearQuest (CVE-2014-8730) 19 March 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Rational ClearCase IBM Rational ClearQuest Publisher: IBM Operating System: AIX HP-UX Linux variants Solaris Windows Impact/Access: Access Privileged Data -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2014-8730 Reference: ESB-2014.2499 ESB-2014.2493 ESB-2014.2485 ESB-2014.2484 ESB-2014.2483 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21692655 http://www-01.ibm.com/support/docview.wss?uid=swg21693290 Revision History: March 19 2015: Reference to fix packs with final fixes January 20 2015: Updated Rational ClearCase bulletin to refer to fixes for IBM HTTP Server December 23 2014: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: TLS padding vulnerability affects IBM Rational ClearCase (CVE-2014-8730) Document information More support for: Rational ClearCase CCRC WAN Server Software version: 7.1, 7.1.0.1, 7.1.0.2, 7.1.1, 7.1.1.1, 7.1.1.2, 7.1.1.3, 7.1.1.4, 7.1.1.5, 7.1.1.6, 7.1.1.7, 7.1.1.8, 7.1.1.9, 7.1.2, 7.1.2.1, 7.1.2.2, 7.1.2.3, 7.1.2.4, 7.1.2.5, 7.1.2.6, 7.1.2.7, 7.1.2.8, 7.1.2.9, 7.1.2.10, 7.1.2.11, 7.1.2.12, 7.1.2.13, 7.1.2.14, 7.1.2.15, 7.1.2.16, 8.0, 8.0.0.1, 8.0.0.2, 8.0.0.3, 8.0.0.4, 8.0.0.5, 8.0.0.6, 8.0.0.7, 8.0.0.8, 8.0.0.9, 8.0.0.10, 8.0.0.11, 8.0.0.12, 8.0.0.13, 8.0.1, 8.0.1.1, 8.0.1.2, 8.0.1.3, 8.0.1.4, 8.0.1.5, 8.0.1.6 Operating system(s): AIX, HP-UX, Linux, Solaris, Windows Reference #: 1692655 Modified date: 2015-03-18 Security Bulletin Summary Transport Layer Security (TLS) padding vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) like attack affects IBM Rational ClearCase. Vulnerability Details CVE-ID: CVE-2014-8730 Description: IBM Rational ClearCase could allow a remote attacker to obtain sensitive information, caused by the failure to check the contents of the padding bytes when using CBC cipher suites of some TLS implementations. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) like attack to decrypt sensitive information and calculate the plaintext of secure connections. CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99216 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) Affected Products and Versions CMI and OSLC integrations (Windows platform) The vulnerable component is used when ClearCase on Windows platforms is configured to integrate with IBM Rational ClearQuest or Rational Team Concert with communication over SSL (https). This applies to Base CC/CQ integrations using Change Management Interface (CMI) and to UCM-enabled CQ integration via OSLC. The UCM-enabled CQ integration without using OSLC (SQUID) is not sensitive to this attack. The integrations may be used by Windows clients directly, or by a Windows CCRC WAN server/CM Server. ClearCase Windows Client or CCRC Status WAN Server/CM Server Version 8.0.1.x Affected if you use CMI or OSLC integrations 8.0.0.5 and higher Affected if you use CMI or OSLC integrations 7.1.2.9 and higher Affected if you use CMI or OSLC integrations 7.0.x, 7.1.0.x, 7.1.1.x Not affected Note: Linux/UNIX clients using CMI or OSLC integrations are not affected. Linux/UNIX WAN servers are not affected by this vulnerability in CMI/OSLC, but are affected by a vulnerability in IBM HTTP Server (IHS). CCRC WAN Server (All platforms) The vulnerable component is also used by CCRC WAN server (all platforms) and CM Server for ClearCase (all platforms) when supporting SSL connections with IBM HTTP Server. ClearCase server version Status of IHS vulnerability 8.0.1.x (CCRC WAN server) Affected (all platforms) if you use SSL 8.0.0.x (CCRC WAN server) Affected (all platforms) if you use SSL 7.1.2.x (CM Server) Affected (all platforms) if you use SSL 7.1.1.x (CM Server) Affected (all platforms) if you use SSL 7.1.0.x (CM Server) Affected (all platforms) if you use SSL Remediation/Fixes Install the appropriate fix pack on your Windows systems running the vulnerable integration code (clients and servers): Affected Versions Applying the fix to Windows clients using an integration 8.0.1.x Install Rational ClearCase Fix Pack 7 (8.0.1.7) for 8.0.1 8.0.0.x Install Rational ClearCase Fix Pack 14 (8.0.0.14) for 8.0 7.1.2.x Customers on extended support contracts should install 7.1.1.x Rational ClearCase Fix Pack 17 (7.1.2.17) for 7.1.2 7.1.0.x You should verify applying this fix does not cause any compatibility issues. In addition to the above fix pack, you should install a fix for IBM HTTP server on your CCRC WAN server/CM Server host(s). Apply the fixes listed in Security Bulletin: TLS padding vulnerability affects IBM HTTP Server (CVE-2014-8730). To install a fixpack or interim fix for IHS as referenced in that bulletin, follow the guidance in this table: Affected ClearCase Versions Applying an IHS Fix 8.0.0.x, 8.0.1.x Install the IHS fixes to your installation, following the instructions from the IHS security bulletin. (IHS is installed and maintained separately for ClearCase 8.0.x.) 7.1.0.x Document 1390803 explains how to update IHS for ClearCase CM Servers 7.1.1.x at release 7.1.x. Consult those instructions when applying the fix. 7.1.2.x Install the IHS fixes listed in the IHS security bulletin referenced above. You should verify applying this configuration change does not cause any compatibility issues. Get Notified about Future Security Bulletins Subscribe to My Notifications to be notified of important product support alerts like this. Important note IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk. References Complete CVSS Guide On-line Calculator V2 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History * 22 December 2014: Original copy published * 19 January 2015: revised to refer to fixes for IBM HTTP Server * 18 March 2015: revised to refer to fix packs with final fixes *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVQo1QBLndAQH1ShLAQIjzQ//atlA/V4N9CTG7m6NtCRxBoOBvT6naHs3 nNIUI2hLYcfGRftxTNzc+WMhZltHbz6XbfpDjkYQnSFudMZ+9wZucO5lOlJBU8wP ZVm8CiGpllbwKfVEcRgzA7a0hp0UPVBOSv5h+53goTDCk5UBVw6ilIL6ByDWGzCA ms45pEAiq85ZBQNvnrWp7PToe8RmNZoXYH1e17uhZHlIPt3Lm3dnDsigD4KhHCzF 1nrli+Sz1OF1apv1CP9th+CvYKjt2ytgdqM1YkVE49XZYrQWBJ5ejjYMOy2HuW6R EC2E55oneXxZJy66AemrxcS+Zf9BOfW7fmojj/n8Jk+cPDt0U8Dd/zpxJYSjvgEl c4w1DNi0rnI41Oi6q4FfCY2Fg/uzctwWytxSSpRStI1OTMyAMF8WF0qtF11DI5xl 5bo7YvZNl3+UxIw0ZhtUGwvsuoGskKZFX8vxgjSmRCm6l/YvtRO5grJjDNPZy/Xb rMN1tqg+bHWFj39MF3OnZetEZ78N8M3dUs6og5F7T4R7sz73L71qRtn95KU6bad0 Q6RZfA4dTzr3mBT6dUiCRHP3Bs6NOMEe5cxaf/rsNEoIcAoS9rowAV25OTG+w5ES XAv6/nE5VDgM1Zgx6RaGlqaHSZYSjC1XoSTjlOdMfCx8R6Q5u9gwWZfNoSvdK0Jh 4j8KJDljMt4= =0bsn -----END PGP SIGNATURE-----