Check Point Advisories

IBM Rational Quality Manager and Test Lab Manager Policy Bypass

Check Point Reference: CPAI-2010-402
Date Published: 31 Oct 2010
Severity: High
Last Updated: Wednesday 05 December, 2018
Protection Provided by:

Security Gateway
R81, R80, R77, R75

Who is Vulnerable?
Vulnerability Description IBM Rational Quality Manager and Test Lab Manager enables quality assurance teams to track all aspects of the quality assurance effort. The central artifact in the tool is a dynamic test plan that contains all information pertaining to the quality assurance effort, such as goals, schedules, milestones and exit criteria as well as links to associated test cases, requirements and development work items. A policy bypass vulnerability has been reported in IBM Rational Quality Manager and Test Lab Manager. The flaw exists within the installation of the bundled tomcat server. The default ADMIN account is improperly disabled within 'tomcat-users.xml' An account providing manager role level access is left enabled with a default password. A remote attacker can use this vulnerability to execute arbitrary code under the context of the tomcat server by sending a crafted HTTP request using a set of default credentials.

Protection Overview

This protection will detect and block attempts to exploit this vulnerability.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75

  1. In the IPS tab, click Protections and find the IBM Rational Quality Manager and Test Lab Manager Policy Bypass protection using the Search tool and Edit the protection's settings.
  2. Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name:  IBM Protection Violation.
Attack Information:  IBM Rational Quality Manager and Test Lab manager policy bypass

This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.