IC54264: SECURITY CONCERNS WITH CENTRAL ADMIN GLOBAL DOWNLOAD DIRECTORY AND REMOTE GLOBAL DOWNLOAD DIRECTORY

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Problem Description:
    If access is not restricted, malicious code could be executed
    via the CDP global download directory. Pull installations could
    be abused to distribute non-CDP software to all CDP clients
    throughout the internal network. This could be used to
    distribute malicious/virus infected files and therefore this is
    a potential security issue. The documentation should be updated
    to adequately address this issue.
    
    TSM Versions Affected: 3.1.x
    Customer/L2 Diagnostics (If Applicable)
    Initial Impact: Low
    Additional Keywords: continuous data protection vulnerability
    secure
    

Local fix

  • To prevent this, the Global download directory should only be
    allowed "write" access by very few people. The CDP global
    download directory should be protected and only authorized
    people should have write-access. As this directory is monitored
    for commands to update the CDP configuration and the CDP client
    computer, only a central administrator should have authority to
    write to it.
    

Problem summary

  • Security concerns with the downloads directory
    in CDP.
    

Problem conclusion

  • A Technote was created to address the securi
    ty concerns.  Technote # 1272084
    

Temporary fix

Comments

APAR Information

  • APAR number

    IC54264

  • Reported component name

    TIV CONT DP FOR

  • Reported component ID

    5608CDFCL

  • Reported release

    310

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2007-10-30

  • Closed date

    2007-10-30

  • Last modified date

    2007-11-02

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    TIV CONT DP FOR

  • Fixed component ID

    5608CDFCL

Applicable component levels

  • R310 PSY

       UP



Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Tivoli Continuous Data Protection for Files

Software version:

310

Reference #:

IC54264

Modified date:

2007-11-02

Translate my page

Machine Translation

Content navigation