CVE-2016-0372 in Rational Collaborative Lifecycle Management
Summary
by MITRE
IBM Rational Collaborative Lifecycle Management 3.0.1.6 before iFix8, 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational Quality Manager 3.0.1.6 before iFix8, 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational Team Concert 3.0.1.6 before iFix8, 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational DOORS Next Generation 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational Engineering Lifecycle Manager 4.x before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational Rhapsody Design Manager 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; and Rational Software Architect Design Manager 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5 do not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/08/2019
This vulnerability affects multiple IBM Rational software products including Collaborative Lifecycle Management, Quality Manager, Team Concert, DOORS Next Generation, Engineering Lifecycle Manager, Rhapsody Design Manager, and Software Architect Design Manager across various version ranges. The core issue lies in the improper configuration of session cookies where the secure flag is not being set during https sessions, creating a significant security weakness that undermines the protection of user sessions. The vulnerability is classified under CWE-614, which specifically addresses the inadequate protection of sensitive data in cookies, making it a direct implementation of insecure cookie handling practices.
The technical flaw manifests when users authenticate to these Rational applications through secure https connections, but the session cookies that maintain their authenticated state fail to include the secure flag in their HTTP response headers. This omission allows the session cookie to be transmitted over unencrypted http connections, making it vulnerable to interception by attackers who can capture the cookie during network traffic analysis or man-in-the-middle attacks. The vulnerability is particularly concerning because it enables attackers to hijack user sessions without requiring additional exploitation techniques, as the cookie itself contains all necessary authentication information. According to ATT&CK framework, this represents a credential access technique under T1550.001, specifically targeting session tokens through network interception methods.
The operational impact of this vulnerability is substantial as it provides attackers with an easy path to unauthorized access to Rational software environments where users maintain sensitive development and project management data. Organizations using these products face increased risk of data breaches, unauthorized modifications to development processes, and potential exposure of intellectual property stored within these lifecycle management systems. The vulnerability affects organizations that rely on these tools for critical software development and quality management processes, potentially compromising entire development pipelines and project integrity. Attackers can leverage this weakness to gain persistent access to development environments, potentially leading to more sophisticated attacks or data exfiltration.
Organizations should immediately apply the vendor-provided iFixes for each affected product version to resolve the session cookie configuration issue. The secure flag must be properly implemented in all session cookies generated by these applications to ensure they are only transmitted over encrypted connections. System administrators should conduct thorough security reviews of all web application configurations, ensuring that session management settings align with security best practices and industry standards such as those outlined in OWASP Top Ten. Network monitoring should be enhanced to detect potential cookie interception attempts, and organizations should consider implementing additional security controls like HTTP Strict Transport Security (HSTS) to prevent downgrade attacks that could exploit this vulnerability. Regular security assessments of application configurations are essential to maintain defense-in-depth strategies against similar session management weaknesses.