SB2022072605 - Multiple vulnerabilities in IBM Rational ClearCase

Description

This security bulletin contains information about 6 secuirty vulnerabilities.

1) Improper control of a resource through its lifetime (CVE-ID: CVE-2022-27778)

The vulnerability allows a remote attacker to delete files on the system.

The vulnerability exists in the curl command line tool when --no-clobber is used together with --remove-on-error. A remote attacker can trick the victim to connect to a malicious server and force the command line tool to remove unexpected files.

2) Information disclosure (CVE-ID: CVE-2022-27779)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to libcurl wrongly allows HTTP cookies to be set for Top Level Domains (TLDs) if the host name is provided with a trailing dot. As a result, an attacker can create cookie files that are later sent to a different and unrelated site or domain.

3) Input validation error (CVE-ID: CVE-2022-27780)

The vulnerability allows a remote attacker to bypass filters and checks.

The vulnerability exists due to the curl URL parser wrongly accepts percent-encoded URL separators like '/' when decoding the host name part of a URL, making it a different URL using the wrong host name when it is later retrieved. For example, the URL like http://example.com%2F10.0.0.1/, would be allowed by the parser and get transposed into http://example.com/10.0.0.1/.

A remote attacker can bypass various internal filters and checks and force the curl to connect to a wrong web application.

4) Incorrect Implementation of Authentication Algorithm (CVE-ID: CVE-2022-27782)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the way libcurl handles previously used connections in a connection pool for subsequent transfers. Several TLS and SSH settings were left out from the configuration match checks, resulting in erroneous matches for different resources. As a result, libcurl can send authentication string from one resource to another, exposing credentials to a third-party.

5) Cleartext transmission of sensitive information (CVE-ID: CVE-2022-30115)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to an error in HSTS implementation that can allow curl to continue using HTTP protocol instead of HTTPS if the host name in the given URL used a trailing dot while not using one when it built the HSTS cache. A remote attacker with ability to intercept traffic can obtain potentially sensitive information.

6) Information disclosure (CVE-ID: CVE-2022-27774)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to curl attempts to follow redirects during authentication process and does not consider different port numbers or protocols to be separate authentication targets. If the web application performs redirection to a different port number of protocol, cURL will allow such redirection and will pass credentials. It could also leak the TLS SRP credentials this way.

By default, curl only allows redirects to HTTP(S) and FTP(S), but can be asked to allow redirects to all protocols curl supports.

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-libcurl-affect-ibm-rational-clearcase-cve-2022-27778-cve-2022-27779-cve-2022-27780-cve-2022-27782-cve-2022-30115-cve-2022-27774/"
• https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-libcurl-affect-ibm-rational-clearcase-cve-2022-27778-cve-2022-27779-cve-2022-27780-cve-2022-27782-cve-2022-30115-cve-2022-27774/</a><br><a
• https://www.ibm.com/support/pages/node/6606577"
• https://www.ibm.com/support/pages/node/6606577</a><br><br><br></p>