Security Bulletin
Summary
IBM Rational Engineering Lifecycle Manager, Rational Software Architect Design Manager and Rational Rhapsody Design Manager are vulnerable to a cross-site request forgery attack.
Vulnerability Details
Subscribe to My Notifications to be notified of important product support alerts like this.
|
CVE ID: CVE-2014-3037
Description: Rational Engineering Lifecycle Manager, Rational Software Architect Design Manager, and Rhapsody Design Manager use the component IBM Configuration Management Application (VVC), which is vulnerable to cross-site request forgery, caused by improper validation of user-supplied data. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/93303 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
Affected Products and Versions
Rational Engineering Lifecycle Manager 1.0, 1.0.0.1, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 5.0
Rational Software Architect Design Manager 3.0, 3.0.0.1, 3.0.1, 4.0 - 4.0.6, 5.0
Rational Rhapsody Design Manager 3.0, 3.0.0.1, 3.0.1, 4.0 - 4.0.6, 5.0
Remediation/Fixes
For Rational Engineering Lifecycle Manager:
- Upgrade to Rational Engineering Lifecycle Manager 4.0.7
- Upgrade to Rational Engineering Lifecycle Manager 5.0.1
or
For Rational Software Architect Design Manager:
- Upgrade to Rational Software Architect Design Manager 4.0.7
- Upgrade to Rational Software Architect Design Manager 5.0.1
or
For Rational Rhapsody Design Manager:
- Upgrade to Rational Rhapsody Design Manager 4.0.7
- Upgrade to Rational Rhapsody Design Manager 5.0.1
or
For the 1.x releases of Rational Engineering Lifecycle Manager, the 3.x releases of Rational Software Architect Design Manager and Rhapsody Design Manager, or customers who cannot upgrade to 4.0.7 or 5.0.1, please contact IBM support for guidance.
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Acknowledgement
None
Change History
* 5 Sep 2014: Original copy published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Internal Use Only
RSA DM PSIRT# 1743 Record # 37220
Rhapsody DM PSIRT# 1743 Record # 37219
Alternate description: A security vulnerability has been identified in Rational Software Architect Design Manager and Rational Rhapsody Design Manager that allows manipulation of user session and cookies, which might be used by a hacker to view or alter user records, and to perform transactions as that user
Product Synonym
Rational Engineering Lifecycle Manager
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21682120