Skip to main content

Support & downloads  >  

Security fixes for the IBM Tivoli Storage Manager (TSM) client
 Flash (Alert)
 
Abstract
Fixes are available for security vulnerabilities in the IBM Tivoli Storage Manager (TSM) client. The fixes address problems described by APARs IC59513, IC59994, IC59779, and IC59781. The Web GUI, Java GUI, and SSL in certain client releases are affected.
 
Content

Four security vulnerabilities exist in the IBM Tivoli Storage Manager (TSM) client, as described below. You are unaffected by these vulnerabilities unless you use the specific client component (Web GUI, Java GUI, or SSL) at the specific client release levels listed below. Fixes are available (see SOLUTION below). Version 6.1 clients are unaffected.

1. IC59513, Two Buffer Overruns, Web GUI and Java GUI:
Two similar buffer overrun vulnerabilities exist in the client Web GUI and Java GUI, which have the potential to crash the TSM client agent process or to allow malicious code injection.The malicious code could, for example, allow an unauthorized user to read, copy, alter, or delete files on the client machine.

Client ReleaseVulnerable Client LevelsFixing Client Levels
TSM 5.45.4.0.0 through 5.4.1.96
5.4.2
TSM 5.35.3.0.0 through 5.3.6.4
5.3.6.6
TSM 5.25.2.0.0 through 5.2.5.3
5.2.5.4
TSM 5.15.1.0.0 through 5.1.8.2
5.1.8.3
TSM Express5.3.3.0 through 5.3.6.4
5.3.6.6

Versions 5.5 and 6.1 are unaffected by this vulnerability


2. IC59994, Buffer Overrun, Web GUI:
A buffer overrun vulnerability exists in the client Web GUI, which has the potential to crash the TSM client agent process or to allow malicious code injection. The malicious code could, for example, allow an unauthorized user to read, copy, alter, or delete files on the client machine.

Client ReleaseVulnerable Client LevelsFixing Client Levels
TSM 5.55.5.0.0 through 5.5.1.17
5.5.2
TSM 5.45.4.0.0 through 5.4.2.6
5.4.2.7
TSM 5.35.3.0.0 through 5.3.6.4
5.3.6.6
TSM 5.25.2.0.0 through 5.2.5.3
5.2.5.4
TSM 5.15.1.0.0 through 5.1.8.2
5.1.8.3

Version 6.1 is unaffected by this vulnerability


3. IC59779, Unauthorized Access, Java GUI
An unauthorized access vulnerability exists in the client Java GUI. The vulnerability could, for example, allow an unauthorized user to read, copy, alter, or delete files on the client machine.
Client ReleaseVulnerable Client LevelsFixing Client Levels
TSM 5.55.5.0.0 through 5.5.1.17
5.5.2
TSM 5.45.4.0.0 through 5.4.2.6
5.4.2.7
TSM 5.35.3.0.0 through 5.3.6.5
5.3.6.6
TSM 5.25.2.0.0 through 5.2.5.3
5.2.5.4
TSM Express5.3.3.0 through 5.3.6.5
5.3.6.6

Version 6.1 is unaffected by this vulnerability


4. IC59781, Man-in-the-middle, SSL
A man-in-the-middle vulnerability exists in the AIX and Windows clients using the Secure Socket Layer (SSL). The vulnerability could, for example, allow files from the client machine to be read or copied by an unauthorized user.

Client ReleaseVulnerable Client LevelsFixing Client Levels
TSM 5.5 (AIX and Windows only)5.5.0.0 through 5.5.1.17
5.5.2

Versions 5.1, 5.2, 5.3. Express, 5.4, and 6.1 are unaffected by this vulnerability.

RELATED TSM PRODUCT
One related TSM product does not contain these vulnerabilities, but one of its functions requires the Web GUI in the Backup-Archive client. This specific product and function is:

  • TSM for Mail: Data Protection (DP) for Domino - Remote GUI function only

SOLUTION:
Install the client update packages that include the fixes for the vulnerabilities (see tables below). Later levels within the release are cumulative and would also include the fix.

  • Web and Java GUI client update packages:
Client ReleaseB/A Client PlatformsClient download link
TSM 5.5All platforms 5.5.2
TSM 5.4All platforms 5.4.2.7
TSM 5.3 "special clients"
supported in 5.4		Windows 2000
Solaris 8
Linux x86 RHEL 3		 5.3.6.6
TSM 5.3AIX
Linux x86
Linux zSeries
Solaris SPARC
HP PA-RISC
Windows x32
Windows x64		 5.3.6.6
(all 5.3 clients with support extensions)
TSM 5.2AIX
Solaris SPARC
HP PA-RISC
Windows x32
Tru64 at 5.1.8.3 level		 5.2.5.4 AIX
5.2.5.4 Solaris SPARC
5.2.5.4 HP PA-RISC
5.2.5.4 Windows x32
5.1.8.3 Tru64 UNIX
TSM ExpressWindows x32
Windows x64		 Express 5.3.6.6

  • SSL client update packages:
Client ReleaseB/A Client PlatformsClient download link
TSM 5.5AIX and Windows



ACKNOWLEDGEMENTS:

The first Web and Java GUI buffer overrun issue (IC59513) was reported to IBM by Secunia. The other three issues were determined internally by IBM.
 
 
 

Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Rate this page
Please take a moment to complete this form to help us better serve you.
This material provides me with the information I need.




This material is clear and easy to understand.




Did the information help you to achieve your goal?
What updates, improvements, or related information would you like to see in this document?
Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.
Input the verification number to submit feedback:
Document information
 Product categories:
 Software
 Storage Management
 Data Protection
 IBM Tivoli Storage Manager
 Client
 Operating system(s):
  AIX, HP-UX, Linux, Macintosh, NetWare, Solaris, TRU64 UNIX, Windows
 Software version:
  5.2, 5.3, 5.4, 5.5
 Reference #:
  1384389
 IBM Group:
 Software Group
 Modified date:
 2009-04-30

Translate My Page
 
 

Rate this page

Help us improve this page. Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.