CVE-2015-0121 in Rational Requirements Composer
Summary
by MITRE
IBM Rational Requirements Composer 3.0 through 3.0.1.6 and 4.0 through 4.0.7 and Rational DOORS Next Generation (RDNG) 4.0 through 4.0.7 and 5.0 through 5.0.2, when LTPA single sign on is used with WebSphere Application Server, do not terminate a Requirements Management (RM) session upon LTPA token expiration, which allows remote attackers to obtain access by leveraging an unattended workstation.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/02/2019
This vulnerability exists in IBM Rational Requirements Composer and Rational DOORS Next Generation products when integrated with WebSphere Application Server using LTPA single sign on mechanisms. The flaw represents a session management weakness that persists across authentication boundaries, creating a persistent access vector for unauthorized individuals. The vulnerability specifically affects versions 3.0 through 3.0.1.6 and 4.0 through 4.0.7 of the requirements management tools, alongside RDNG versions 4.0 through 4.0.7 and 5.0 through 5.0.2, all operating under LTPA token authentication protocols.
The technical implementation flaw stems from the failure to properly monitor and validate LTPA token expiration events within the session lifecycle management. When LTPA tokens expire due to configured time limits or system policies, the applications continue to maintain active session states without proper termination or re-authentication prompts. This creates a window of opportunity where authenticated sessions remain valid even after the underlying authentication credentials have expired, effectively allowing attackers to maintain access to sensitive requirements management data.
The operational impact of this vulnerability is significant for organizations utilizing these tools in enterprise environments where workstations may be left unattended. Attackers can exploit this weakness by simply waiting for LTPA tokens to expire and then leveraging the existing session state to access requirements data, potentially including confidential business requirements, system specifications, or architectural documents. This represents a direct violation of the principle of least privilege and can lead to information disclosure, unauthorized modifications to requirements, or potential escalation to other system components.
This vulnerability aligns with CWE-613, which addresses insufficient session expiration, and maps to ATT&CK technique T1550.001 for legitimate credentials and T1078.004 for valid accounts. The persistent session state after token expiration creates a path for credential theft and privilege escalation attacks. Organizations should implement immediate mitigations including configuring shorter session timeouts, enabling automatic session cleanup mechanisms, and implementing additional access controls such as mandatory re-authentication for sensitive operations. Additionally, network segmentation and monitoring solutions should be deployed to detect unusual access patterns that may indicate exploitation attempts, while regular security assessments should verify proper session management implementation across all integrated applications.
The root cause demonstrates a failure in proper session lifecycle management where the system does not adequately handle authentication state transitions. This weakness allows attackers to exploit the temporal gap between token expiration and session termination, effectively creating a persistent access mechanism that bypasses standard authentication controls. Organizations should prioritize patching affected versions and implementing robust session monitoring to prevent unauthorized access through this vector.