-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2014.2504.3
Security Bulletin: TLS padding vulnerability affects IBM Rational ClearCase
            (CVE-2014-8730) and Security Bulletin: TLS padding
               vulnerability affects IBM Rational ClearQuest
                              (CVE-2014-8730)
                               19 March 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Rational ClearCase
                   IBM Rational ClearQuest
Publisher:         IBM
Operating System:  AIX
                   HP-UX
                   Linux variants
                   Solaris
                   Windows
Impact/Access:     Access Privileged Data -- Remote with User Interaction
                   Reduced Security       -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-8730  

Reference:         ESB-2014.2499
                   ESB-2014.2493
                   ESB-2014.2485
                   ESB-2014.2484
                   ESB-2014.2483

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21692655
   http://www-01.ibm.com/support/docview.wss?uid=swg21693290

Revision History:  March    19 2015: Reference to fix packs with final fixes
                   January  20 2015: Updated Rational ClearCase bulletin to refer to fixes for IBM HTTP Server
                   December 23 2014: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: TLS padding vulnerability affects IBM Rational ClearCase 
(CVE-2014-8730)

Document information

More support for:

Rational ClearCase

CCRC WAN Server

Software version:

7.1, 7.1.0.1, 7.1.0.2, 7.1.1, 7.1.1.1, 7.1.1.2, 7.1.1.3, 7.1.1.4, 7.1.1.5, 
7.1.1.6, 7.1.1.7, 7.1.1.8, 7.1.1.9, 7.1.2, 7.1.2.1, 7.1.2.2, 7.1.2.3, 7.1.2.4,
7.1.2.5, 7.1.2.6, 7.1.2.7, 7.1.2.8, 7.1.2.9, 7.1.2.10, 7.1.2.11, 7.1.2.12, 
7.1.2.13, 7.1.2.14, 7.1.2.15, 7.1.2.16, 8.0, 8.0.0.1, 8.0.0.2, 8.0.0.3, 
8.0.0.4, 8.0.0.5, 8.0.0.6, 8.0.0.7, 8.0.0.8, 8.0.0.9, 8.0.0.10, 8.0.0.11, 
8.0.0.12, 8.0.0.13, 8.0.1, 8.0.1.1, 8.0.1.2, 8.0.1.3, 8.0.1.4, 8.0.1.5, 
8.0.1.6

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Reference #:

1692655

Modified date:

2015-03-18

Security Bulletin

Summary

Transport Layer Security (TLS) padding vulnerability via a POODLE (Padding 
Oracle On Downgraded Legacy Encryption) like attack affects IBM Rational 
ClearCase.

Vulnerability Details

CVE-ID: CVE-2014-8730

Description: IBM Rational ClearCase could allow a remote attacker to obtain 
sensitive information, caused by the failure to check the contents of the 
padding bytes when using CBC cipher suites of some TLS implementations. A 
remote user with the ability to conduct a man-in-the-middle attack could 
exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy 
Encryption) like attack to decrypt sensitive information and calculate the 
plaintext of secure connections.

CVSS Base Score: 4.3

CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99216 for the 
current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

CMI and OSLC integrations (Windows platform)

The vulnerable component is used when ClearCase on Windows platforms is 
configured to integrate with IBM Rational ClearQuest or Rational Team Concert
with communication over SSL (https). This applies to Base CC/CQ integrations 
using Change Management Interface (CMI) and to UCM-enabled CQ integration via
OSLC. The UCM-enabled CQ integration without using OSLC (SQUID) is not 
sensitive to this attack.

The integrations may be used by Windows clients directly, or by a Windows CCRC
WAN server/CM Server.

ClearCase Windows Client or CCRC 	Status
WAN Server/CM Server Version		

8.0.1.x					Affected if you use CMI or OSLC integrations

8.0.0.5 and higher			Affected if you use CMI or OSLC integrations

7.1.2.9 and higher			Affected if you use CMI or OSLC integrations

7.0.x, 7.1.0.x, 7.1.1.x			Not affected

Note: Linux/UNIX clients using CMI or OSLC integrations are not affected. 
Linux/UNIX WAN servers are not affected by this vulnerability in CMI/OSLC, but
are affected by a vulnerability in IBM HTTP Server (IHS).

CCRC WAN Server (All platforms)

The vulnerable component is also used by CCRC WAN server (all platforms) and 
CM Server for ClearCase (all platforms) when supporting SSL connections with 
IBM HTTP Server.

ClearCase server version	Status of IHS vulnerability

8.0.1.x (CCRC WAN server)	Affected (all platforms) if you use SSL

8.0.0.x (CCRC WAN server)	Affected (all platforms) if you use SSL

7.1.2.x (CM Server)		Affected (all platforms) if you use SSL 

7.1.1.x (CM Server)		Affected (all platforms) if you use SSL

7.1.0.x (CM Server)		Affected (all platforms) if you use SSL

Remediation/Fixes

Install the appropriate fix pack on your Windows systems running the 
vulnerable integration code (clients and servers):

Affected Versions		Applying the fix to Windows clients using an integration

8.0.1.x				Install Rational ClearCase Fix Pack 7 (8.0.1.7) for 8.0.1

8.0.0.x				Install Rational ClearCase Fix Pack 14 (8.0.0.14) for 8.0

7.1.2.x				Customers on extended support contracts should install 
7.1.1.x				Rational ClearCase Fix Pack 17 (7.1.2.17) for 7.1.2
7.1.0.x

You should verify applying this fix does not cause any compatibility issues.

In addition to the above fix pack, you should install a fix for IBM HTTP 
server on your CCRC WAN server/CM Server host(s). Apply the fixes listed in 
Security Bulletin: TLS padding vulnerability affects IBM HTTP Server 
(CVE-2014-8730).

To install a fixpack or interim fix for IHS as referenced in that bulletin, 
follow the guidance in this table:

Affected ClearCase Versions	Applying an IHS Fix

8.0.0.x, 8.0.1.x 		Install the IHS fixes to your installation, following the 
				instructions from the IHS security bulletin. (IHS is installed 
				and maintained separately for ClearCase 8.0.x.)

7.1.0.x				Document 1390803 explains how to update IHS for ClearCase CM Servers
7.1.1.x				at release 7.1.x. Consult those instructions when applying the fix.
7.1.2.x  			Install the IHS fixes listed in the IHS security bulletin referenced above.

You should verify applying this configuration change does not cause any 
compatibility issues.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support 
alerts like this.

Important note

IBM strongly suggests that all System z customers be subscribed to the System
z Security Portal to receive the latest critical System z security and 
integrity service. If you are not subscribed, see the instructions on the 
System z Security web site. Security and integrity APARs and associated fixes
will be posted to this portal. IBM suggests reviewing the CVSS scores and 
applying all security or integrity fixes as soon as possible to minimize any 
potential risk.

References

Complete CVSS Guide

On-line Calculator V2

Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

Change History

* 22 December 2014: Original copy published

* 19 January 2015: revised to refer to fixes for IBM HTTP Server

* 18 March 2015: revised to refer to fix packs with final fixes

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the 
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the 
Common Vulnerability Scoring System (CVSS) is an "industry open standard 
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY 
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT 
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVQo1QBLndAQH1ShLAQIjzQ//atlA/V4N9CTG7m6NtCRxBoOBvT6naHs3
nNIUI2hLYcfGRftxTNzc+WMhZltHbz6XbfpDjkYQnSFudMZ+9wZucO5lOlJBU8wP
ZVm8CiGpllbwKfVEcRgzA7a0hp0UPVBOSv5h+53goTDCk5UBVw6ilIL6ByDWGzCA
ms45pEAiq85ZBQNvnrWp7PToe8RmNZoXYH1e17uhZHlIPt3Lm3dnDsigD4KhHCzF
1nrli+Sz1OF1apv1CP9th+CvYKjt2ytgdqM1YkVE49XZYrQWBJ5ejjYMOy2HuW6R
EC2E55oneXxZJy66AemrxcS+Zf9BOfW7fmojj/n8Jk+cPDt0U8Dd/zpxJYSjvgEl
c4w1DNi0rnI41Oi6q4FfCY2Fg/uzctwWytxSSpRStI1OTMyAMF8WF0qtF11DI5xl
5bo7YvZNl3+UxIw0ZhtUGwvsuoGskKZFX8vxgjSmRCm6l/YvtRO5grJjDNPZy/Xb
rMN1tqg+bHWFj39MF3OnZetEZ78N8M3dUs6og5F7T4R7sz73L71qRtn95KU6bad0
Q6RZfA4dTzr3mBT6dUiCRHP3Bs6NOMEe5cxaf/rsNEoIcAoS9rowAV25OTG+w5ES
XAv6/nE5VDgM1Zgx6RaGlqaHSZYSjC1XoSTjlOdMfCx8R6Q5u9gwWZfNoSvdK0Jh
4j8KJDljMt4=
=0bsn
-----END PGP SIGNATURE-----