Vulnerability CVE-2015-7449 - CERT Civis.Net

Vulnerability Name:

CVE-2015-7449 (CCN-108221)

Assigned:

2015-09-29

Published:

2016-06-13

Updated:

2018-04-13

Summary:

IBM Rational Collaborative Lifecycle Management (CLM) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, 6.0.x before 6.0.1 iFix5, and 6.0.2 before iFix2; Rational Quality Manager (RQM) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, 6.0.x before 6.0.1 iFix5, and 6.0.2 before iFix2; Rational Team Concert (RTC) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, 6.0.x before 6.0.1 iFix5, and 6.0.2 before iFix2; Rational Requirements Composer (RRC) 4.0.x before 4.0.7 iFix10; Rational DOORS Next Generation (RDNG) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, 6.0.x before 6.0.1 iFix5, and 6.0.2 before iFix2; Rational Engineering Lifecycle Manager (RELM) 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7 before iFix1, 5.0.x before 5.0.2 iFix1, and 6.0.x before 6.0.2; Rational Rhapsody Design Manager (Rhapsody DM) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, 6.0.x before 6.0.1 iFix5, and 6.0.2 before iFix2; Rational Software Architect Design Manager (RSA DM) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, 6.0.x before 6.0.1 iFix5, and 6.0.2 before iFix2 allow local users to obtain sensitive information by leveraging weak encryption. IBM X-Force ID: 108221.

CVSS v3 Severity:

3.3 Low (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
2.9 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

4.0 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
3.5 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

2.1 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-326
CWE-200

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2015-7449

Source: CONFIRM
Type: Patch, Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21985143

Source: CCN
Type: IBM Security Bulletin 1985143 (Rational Collaborative Lifecycle Management)
Vulnerability affects multiple IBM Rational products based on IBM Jazz technology (CVE-2015-7449)

Source: XF
Type: UNKNOWN
ibm-jazz-cve20157449-info-disc(108221)

Source: XF
Type: VDB Entry, Vendor Advisory
ibm-jazz-cve20157449-info-disc(108221)

Vulnerable Configuration:

Configuration 1:

cpe:/a:ibm:rational_collaborative_lifecycle_management:*:*:*:*:*:*:*:* (Version >= 4.0.0 and <= 6.0.2)

Configuration 2:

cpe:/a:ibm:rational_quality_manager:*:*:*:*:*:*:*:* (Version >= 4.0.0 and <= 4.0.7)

OR cpe:/a:ibm:rational_quality_manager:5.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_quality_manager:5.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_quality_manager:5.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_quality_manager:6.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_quality_manager:6.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_quality_manager:6.0.2:*:*:*:*:*:*:*

Configuration 3:

cpe:/a:ibm:rational_team_concert:*:*:*:*:*:*:*:* (Version >= 4.0.0 and <= 4.0.7)

OR cpe:/a:ibm:rational_team_concert:5.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_team_concert:5.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_team_concert:5.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_team_concert:6.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_team_concert:6.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_team_concert:6.0.2:*:*:*:*:*:*:*

Configuration 4:

cpe:/a:ibm:rational_requirements_composer:*:*:*:*:*:*:*:* (Version >= 4.0.0 and <= 4.0.7)

Configuration 5:

cpe:/a:ibm:rational_doors_next_generation:*:*:*:*:*:*:*:* (Version >= 4.0.0 and <= 4.0.7)

OR cpe:/a:ibm:rational_doors_next_generation:5.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_doors_next_generation:5.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_doors_next_generation:5.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_doors_next_generation:6.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_doors_next_generation:6.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_doors_next_generation:6.0.2:*:*:*:*:*:*:*

Configuration 6:

cpe:/a:ibm:rational_engineering_lifecycle_manager:*:*:*:*:*:*:*:* (Version >= 4.0.3 and <= 4.0.7)

OR cpe:/a:ibm:rational_engineering_lifecycle_manager:5.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_engineering_lifecycle_manager:5.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_engineering_lifecycle_manager:5.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_engineering_lifecycle_manager:6.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_engineering_lifecycle_manager:6.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_engineering_lifecycle_manager:6.0.2:*:*:*:*:*:*:*

Configuration 7:

cpe:/a:ibm:rational_rhapsody_design_manager:*:*:*:*:*:*:*:* (Version >= 4.0 and <= 4.0.7)

OR cpe:/a:ibm:rational_rhapsody_design_manager:5.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_rhapsody_design_manager:5.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_rhapsody_design_manager:5.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_rhapsody_design_manager:6.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_rhapsody_design_manager:6.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_rhapsody_design_manager:6.0.2:*:*:*:*:*:*:*

Configuration 8:

cpe:/a:ibm:rational_software_architect_design_manager:*:*:*:*:*:*:*:* (Version >= 4.0.0 and <= 4.0.7)

OR cpe:/a:ibm:rational_software_architect_design_manager:5.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_software_architect_design_manager:5.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_software_architect_design_manager:5.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_software_architect_design_manager:6.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_software_architect_design_manager:6.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_software_architect_design_manager:6.0.2:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:5.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:5.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:5.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0.2:*:*:*:*:*:*:*

Denotes that component is vulnerable