Vulnerability CVE-2015-7440 - CERT Civis.Net

Vulnerability Name:

CVE-2015-7440 (CCN-108098)

Assigned:

2015-09-29

Published:

2016-05-10

Updated:

2018-04-11

Summary:

IBM Rational Collaborative Lifecycle Management (CLM) 3.0.1 before 3.0.1.6 iFix7 Interim Fix 1, 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4; Rational Quality Manager (RQM) 3.0.x before 3.0.1.6 iFix7 Interim Fix 1, 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4; Rational Team Concert (RTC) 3.0.x before 3.0.1.6 iFix7 Interim Fix 1, 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4; Rational Requirements Composer (RRC) 3.0.x before 3.0.1.6 iFix7 Interim Fix 1 and 4.0.x before 4.0.7 iFix10; Rational DOORS Next Generation (RDNG) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4; Rational Engineering Lifecycle Manager (RELM) 4.0.3, 4.0.4, 4.0.5, 4.0.6, and 4.0.7 before iFix10, 5.0.x before 5.0.2 iFix1, and 6.0.x before 6.0.2; Rational Rhapsody Design Manager (Rhapsody DM) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4; and Rational Software Architect Design Manager (RSA DM) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, and 6.0.x before 6.0.1 iFix4 might allow local users to gain privileges via unspecified vectors. IBM X-Force ID: 108098.

CVSS v3 Severity:

7.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
6.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

4.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L)
3.9 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): High Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

4.6 Medium (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

3.5 Low (CCN CVSS v2 Vector: AV:L/AC:H/Au:S/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): High Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

Vulnerability Consequences:

Gain Privileges

References:

Source: MITRE
Type: CNA
CVE-2015-7440

Source: CONFIRM
Type: Patch, Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21982747

Source: CCN
Type: IBM Security Bulletin 1982747 (Rational Collaborative Lifecycle Management)
Vulnerabilities affect multiple IBM Rational products based on IBM Jazz technology (CVE-2015-7440, CVE-2015-7453, CVE-2015-7471)

Source: XF
Type: UNKNOWN
ibm-jazz-cve20157440-priv-escalation(108098)

Source: XF
Type: VDB Entry, Vendor Advisory
ibm-jazz-cve20157440-priv-escalation(108098)

Vulnerable Configuration:

Configuration 1:

cpe:/a:ibm:rational_collaborative_lifecycle_management:*:*:*:*:*:*:*:* (Version >= 3.0.1 and <= 6.0.1)

Configuration 2:

cpe:/a:ibm:rational_quality_manager:*:*:*:*:*:*:*:* (Version >= 3.0 and <= 3.0.1.6)

OR cpe:/a:ibm:rational_quality_manager:*:*:*:*:*:*:*:* (Version >= 4.0 and <= 4.0.7)

OR cpe:/a:ibm:rational_quality_manager:5.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_quality_manager:5.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_quality_manager:5.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_quality_manager:6.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_quality_manager:6.0.1:*:*:*:*:*:*:*

Configuration 3:

cpe:/a:ibm:rational_team_concert:*:*:*:*:*:*:*:* (Version >= 3.0 and <= 3.0.6)

OR cpe:/a:ibm:rational_team_concert:*:*:*:*:*:*:*:* (Version >= 4.0 and <= 4.0.7)

OR cpe:/a:ibm:rational_team_concert:5.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_team_concert:5.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_team_concert:5.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_team_concert:6.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_team_concert:6.0.1:*:*:*:*:*:*:*

Configuration 4:

cpe:/a:ibm:rational_requirements_composer:*:*:*:*:*:*:*:* (Version >= 3.0 and <= 3.0.1.6)

OR cpe:/a:ibm:rational_requirements_composer:*:*:*:*:*:*:*:* (Version >= 4.0 and <= 4.0.7)

Configuration 5:

cpe:/a:ibm:rational_doors_next_generation:*:*:*:*:*:*:*:* (Version >= 4.0 and <= 4.0.7)

OR cpe:/a:ibm:rational_doors_next_generation:5.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_doors_next_generation:5.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_doors_next_generation:5.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_doors_next_generation:6.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_doors_next_generation:6.0.1:*:*:*:*:*:*:*

Configuration 6:

cpe:/a:ibm:rational_engineering_lifecycle_manager:*:*:*:*:*:*:*:* (Version >= 4.0.3 and <= 4.0.7)

OR cpe:/a:ibm:rational_engineering_lifecycle_manager:5.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_engineering_lifecycle_manager:5.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_engineering_lifecycle_manager:5.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_engineering_lifecycle_manager:6.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_engineering_lifecycle_manager:6.0.1:*:*:*:*:*:*:*

Configuration 7:

cpe:/a:ibm:rational_rhapsody_design_manager:*:*:*:*:*:*:*:* (Version >= 4.0 and <= 4.0.7)

OR cpe:/a:ibm:rational_rhapsody_design_manager:5.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_rhapsody_design_manager:5.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_rhapsody_design_manager:5.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_rhapsody_design_manager:6.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_rhapsody_design_manager:6.0.1:*:*:*:*:*:*:*

Configuration 8:

cpe:/a:ibm:rational_software_architect_design_manager:*:*:*:*:*:*:*:* (Version >= 4.0 and <= 4.0.7)

OR cpe:/a:ibm:rational_software_architect_design_manager:5.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_software_architect_design_manager:5.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_software_architect_design_manager:5.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_software_architect_design_manager:6.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_software_architect_design_manager:6.0.1:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:ibm:rational_collaborative_lifecycle_management:3.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:3.0.1.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:5.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:5.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:5.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0.1:*:*:*:*:*:*:*

Denotes that component is vulnerable