Security fixes for the IBM Tivoli Storage Manager (TSM) client

Flash (Alert)


Abstract

Fixes are available for security vulnerabilities in the IBM Tivoli Storage Manager (TSM) client. The fixes address problems described by APARs IC59513, IC59994, IC59779, and IC59781. The Web GUI, Java GUI, and SSL in certain client releases are affected.

Content

Four security vulnerabilities exist in the IBM Tivoli Storage Manager (TSM) client, as described below. You are unaffected by these vulnerabilities unless you use the specific client component (Web GUI, Java GUI, or SSL) at the specific client release levels listed below. Fixes are available (see SOLUTION below). Version 6.1 clients are unaffected.

1. IC59513, Two Buffer Overruns, Web GUI and Java GUI:
Two similar buffer overrun vulnerabilities exist in the client Web GUI and Java GUI, which have the potential to crash the TSM client agent process or to allow malicious code injection.The malicious code could, for example, allow an unauthorized user to read, copy, alter, or delete files on the client machine.

Client Release Vulnerable Client Levels Fixing Client Levels
TSM 5.4 5.4.0.0 through 5.4.1.96
5.4.2
TSM 5.3 5.3.0.0 through 5.3.6.4
5.3.6.6
TSM 5.2 5.2.0.0 through 5.2.5.3
5.2.5.4
TSM 5.1 5.1.0.0 through 5.1.8.2
5.1.8.3
TSM Express 5.3.3.0 through 5.3.6.4
5.3.6.6

Versions 5.5 and 6.1 are unaffected by this vulnerability


2. IC59994, Buffer Overrun, Web GUI:
A buffer overrun vulnerability exists in the client Web GUI, which has the potential to crash the TSM client agent process or to allow malicious code injection. The malicious code could, for example, allow an unauthorized user to read, copy, alter, or delete files on the client machine.

Client Release Vulnerable Client Levels Fixing Client Levels
TSM 5.5 5.5.0.0 through 5.5.1.17
5.5.2
TSM 5.4 5.4.0.0 through 5.4.2.6
5.4.2.7
TSM 5.3 5.3.0.0 through 5.3.6.4
5.3.6.6
TSM 5.2 5.2.0.0 through 5.2.5.3
5.2.5.4
TSM 5.1 5.1.0.0 through 5.1.8.2
5.1.8.3

Version 6.1 is unaffected by this vulnerability


3. IC59779, Unauthorized Access, Java GUI
An unauthorized access vulnerability exists in the client Java GUI. The vulnerability could, for example, allow an unauthorized user to read, copy, alter, or delete files on the client machine.
Client Release Vulnerable Client Levels Fixing Client Levels
TSM 5.5 5.5.0.0 through 5.5.1.17
5.5.2
TSM 5.4 5.4.0.0 through 5.4.2.6
5.4.2.7
TSM 5.3 5.3.0.0 through 5.3.6.5
5.3.6.6
TSM 5.2 5.2.0.0 through 5.2.5.3
5.2.5.4
TSM Express 5.3.3.0 through 5.3.6.5
5.3.6.6

Version 6.1 is unaffected by this vulnerability


4. IC59781, Man-in-the-middle, SSL
A man-in-the-middle vulnerability exists in the AIX and Windows clients using the Secure Socket Layer (SSL). The vulnerability could, for example, allow files from the client machine to be read or copied by an unauthorized user.

Client Release Vulnerable Client Levels Fixing Client Levels
TSM 5.5 (AIX and Windows only) 5.5.0.0 through 5.5.1.17
5.5.2

Versions 5.1, 5.2, 5.3. Express, 5.4, and 6.1 are unaffected by this vulnerability.

RELATED TSM PRODUCT
One related TSM product does not contain these vulnerabilities, but one of its functions requires the Web GUI in the Backup-Archive client. This specific product and function is:

  • TSM for Mail: Data Protection (DP) for Domino - Remote GUI function only

SOLUTION:
Install the client update packages that include the fixes for the vulnerabilities (see tables below). Later levels within the release are cumulative and would also include the fix.

  • Web and Java GUI client update packages:
Client Release B/A Client Platforms Client download link
TSM 5.5 All platforms 5.5.2
TSM 5.4 All platforms 5.4.2.7
TSM 5.3 "special clients"
supported in 5.4
Windows 2000
Solaris 8
Linux x86 RHEL 3
5.3.6.6
TSM 5.3 AIX
Linux x86
Linux zSeries
Solaris SPARC
HP PA-RISC
Windows x32
Windows x64
5.3.6.6
(all 5.3 clients with support extensions)
TSM 5.2 AIX
Solaris SPARC
HP PA-RISC
Windows x32
Tru64 at 5.1.8.3 level
5.2.5.4 AIX
5.2.5.4 Solaris SPARC
5.2.5.4 HP PA-RISC
5.2.5.4 Windows x32
5.1.8.3 Tru64 UNIX
TSM Express Windows x32
Windows x64
Express 5.3.6.6

  • SSL client update packages:
Client Release B/A Client Platforms Client download link
TSM 5.5 AIX and Windows



ACKNOWLEDGEMENTS:

The first Web and Java GUI buffer overrun issue (IC59513) was reported to IBM by Secunia. The other three issues were determined internally by IBM.

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Tivoli Storage Manager
Client

Software version:

5.2, 5.3, 5.4, 5.5

Operating system(s):

AIX, HP-UX, Linux, Macintosh, NetWare, Solaris, TRU64 UNIX, Windows

Reference #:

1384389

Modified date:

2009-04-30

Translate my page

Machine Translation

Content navigation