PK75832: UCM-CQ ON LINUX/AIX: USER LOGIN CREDENTIALS IN PLAIN-TEXT BY PS -EF COMMAND

APAR status

• Closed as program error.

Error description

• UCM-CQ on Linux/AIX: user login credentials in plain-text by ps
  -ef command
  
  Was Reproduced in house, on 7.0.1.2.  Note the customer is on 7.
  0.1.1 iFix02
  Steps to Repro'
  
  1. So I brought up xclearcase on AIX
  2. During a 'checkout' I selected the 'new' button to create a n
  ew UCM baseActivity record.
  3. At that point I saw the following process running (it shows t
  he database username and password in cleartext).
  4.The customer reproduced this with -cmd find (probably trying t
  o search for all activities or something like that).. so I'm sur
  e there are more cases that just submit where we are passing thi
  s data.  Did this on both AIX and Linux.
  
  The in house repro output is:
  
  judyh 22598 27544  90 17:29:21  pts/2 0:01 /opt/rational/clearqu
  est/aix4_power/bin/../../../common/java/jre/bin/java -cp /opt/ra
  tional/clearquest/rcp/plugins/com.ibm.rational.clearquest.ucm.rc
  p_7.0.0/ucmrcp.jar com.ibm.rational.clearquest.ucm.cmdline.UCMCm
  dLine -cmd submit -m 7.0.0 -d judy -u judy -p cag -rec BaseCMAct
  ivity -return_id /tmp/tmp28807
  

Local fix

Problem summary

• A security vulnerability exists in ClearCase version 7.
  

Problem conclusion

• A fix is available in ClearCase versions 7.0.0.5, 7.0.1.4,
  and 7.1.0.1.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  CLEARCASE UNIX

• Fixed component ID

  5724G2901

Applicable component levels

• R60L PSN

     UP