IBM Rational ClearQuest 7.1.1.x / 7.1.2.x < 7.1.2.13.01 / 8.0.0.x < 8.0.0.10.01 / 8.0.1.x < 8.0.1.3.01 OpenSSL Library Multiple Vulnerabilities (credentialed check) (Heartbleed)

This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.


Synopsis :

The remote host has software installed that is affected by multiple
vulnerabilities.

Description :

The remote host has a version of IBM Rational ClearQuest 7.1.1.x /
7.1.2.x prior to 7.1.2.13.01 / 8.0.0.x prior to 8.0.0.10.01 / 8.0.1.x
prior to 8.0.1.3.01 installed. It is, therefore, potentially affected
by multiple vulnerabilities in the OpenSSL library :

- An error exists related to the implementation of the
Elliptic Curve Digital Signature Algorithm (ECDSA) that
allows nonce disclosure via the 'FLUSH+RELOAD' cache
side-channel attack. (CVE-2014-0076)

- An out-of-bounds read error, known as the 'Heartbleed
Bug', exists related to handling TLS heartbeat
extensions that allows an attacker to obtain sensitive
information such as primary key material, secondary key
material, and other protected content. Note that this
error only affects versions of ClearQuest later than
7.1.2. (CVE-2014-0160)

See also :

http://www-01.ibm.com/support/docview.wss?uid=swg21670905
http://www-01.ibm.com/support/docview.wss?uid=swg21666414
http://www.heartbleed.com
https://eprint.iacr.org/2014/140
https://www.openssl.org/news/vulnerabilities.html#2014-0160
https://www.openssl.org/news/secadv/20140407.txt

Solution :

Upgrade to IBM Rational ClearQuest 7.1.2.13 Interim Fix 01
(7.1.2.13.01) / 8.0.0.10 Interim Fix 01 (8.0.0.10.01) / 8.0.1.3
Interim Fix 01 (8.0.1.3.01) or later.

Risk factor :

High / CVSS Base Score : 9.4
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N)
CVSS Temporal Score : 7.4
(CVSS2#E:POC/RL:OF/RC:C)
Public Exploit Available : true

Family: Windows

Nessus Plugin ID: 81782 ()

Bugtraq ID: 66363
66690

CVE ID: CVE-2014-0076
CVE-2014-0160

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now