The ClearCase & ClearQuest Community
  • Home
  • Blogs
  • Forum
  • About
  • Contact
  • Resources
    • Security Bulletin
  • Events

HCL Security bulletin

HCL  uses various methods to communicate security vulnerability information to customers.  A Security Bulletin is used when publicly disclosing security vulnerabilities discovered in HCL offerings.  Alternative tools and processes are used, where appropriate, when targeted or discrete communication with entitled customers is required. To protect our customers, HCL does not publicly disclose or confirm security vulnerabilities until HCL has conducted an analysis of the product and issued fixes and/or mitigations. 
​
Overview
Security Bulletins notify customers about one or more vulnerabilities. Customers are responsible for assessing the impact of any actual or potential security vulnerability in the context of their environment.
 
HCL Security Bulletin Structure and Content 
HCL Security Bulletins follow a standard format and include elements that identify the type of vulnerability and its potential impact. Given their sensitive nature, Security Bulletins do not include detailed vulnerability exploitation information. The structure of an HCL Security Bulletin is defined below.
 
Title
To aid in identification, the title of the security bulletin includes the phrase “Security Bulletin:” followed by a brief statement that includes information such as the nature, or type, of vulnerability and the affected HCL Offering Name. It may also include one or more associated CVE IDs.
 
Summary
The security bulletin summary provides general information about the nature of the vulnerability. 

Vulnerability Details 
The vulnerability details section provides a list of Common Vulnerabilities and Exposures (CVE) identifiers and descriptions. CVE IDs are standardized identifiers for common computer vulnerabilities and exposures.
CVSS is an open standard for assessing the severity or impact of computer system security vulnerabilities. This standard attempts to establish a numeric measure that represents how much concern or attention the vulnerability warrants. The resulting CVSS 'score' is based on an assessment of a series of metrics. The CVSS Base Score represents the intrinsic and fundamental characteristics of the vulnerability that are typically constant over time and across user environments. Additional information CVSS v3.0 User Guide.
A CVSS score is assigned to each CVE by HCL.
CVE and CVSS details information is presented in the following format: 
CVEID: CVE-XXXX-XXXX (where XXXX-XXXX represents an assigned CVE ID) 
 
Description
A high-level description of the vulnerability. HCL does not intend to provide vulnerability details that could enable someone to craft an exploit of the vulnerability. 
CVSS Base Score: The CVSS score assigned to the CVE by HCL. The score range is 0 – 10. 
CVSS Temporal Score: The temporal score can change over the lifetime of the vulnerability as exploits are developed and disclosed and as mitigations and fixes are made available 
CVSS Environmental Score: The environmental score uses the base and current temporal score to assess the severity of a vulnerability in the context of the way that the vulnerable product or software is deployed. The CVSS Environment Score is customer environment specific. Customers can evaluate the impact of the vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. 
 
Affected Products and Versions 
The affected products and versions section identifies the names of affected HCL Offerings and the versions of those offerings which are affected by the vulnerabilities identified in the security bulletin. 
 
Remediation/Fixes 
The remediation/fixes section identifies associated fixes, by affected version, as well as how and where to obtain those fixes. 
 
Workarounds and Mitigations 
The workarounds and mitigations section identifies usage or configuration changes that may be available in place of fix installation. 
 
References 
The references section identifies additional resources that may be useful when evaluating the security bulletin. 
 
Related Information 
The related information section identifies additional, related information resources that may be useful when evaluating the security bulletin. 
 
Change History 
The change history section summarizes publication and update information associated with the security bulletin. In the event that you receive multiple notifications for a bulletin, re-review the bulletin to determine if the new updates are applicable to your environment. 


Home

Blogs

Community

Contact

Resources

Copyright © 2018-19

Note: ClearQuest and ClearCase are trademarks of IBM Corporation in at least one jurisdiction and is used under license.
  • Home
  • Blogs
  • Forum
  • About
  • Contact
  • Resources
    • Security Bulletin
  • Events