A critical signature spoofing by key recreation vulnerability in Rational ClearCase by IBM.

Scroll down


The MSCAPI/MSCNG interface implementation in GSKit in IBM Rational ClearCase 7.1.2.x before, 8.0.0.x before, and 8.0.1.x before does not properly generate random numbers, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors.


This signature spoofing by key recreation vulnerability has been classified with a high base score of 9.4, a high impact score of 9.2 and a high exploitability score of 10.

Economic Impact

The economic impact provides a custom overview of the affected areas by this vulnerability. If there is a higher amount of predicted attacks, there is a higher probability to be affected by this vulnerability in this particular region.


Common Attack Pattern Enumeration and Classification (CAPEC) is a comprehensive dictionary and classification taxonomy of known attacks that can be used by analysts, developers, testers, and educators to deepen community understanding and enhance protection. The vulnerability has been classificated in 8 categories.

Signature Spoofing by Key Recreation

An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.


CPE is a structured naming scheme for information technology systems, software, and packages. Based on a common Uniform Resource Identifier (URI) syntax, CPE includes a formal naming format, a method for validating system names, and a description format for attaching text and tests to the name.

All CPE details