TSM UNIX and Linux Client Security Fixes - December 2010

Flash (Alert)


Abstract

Fixes are available for two security vulnerabilities in the IBM Tivoli Storage Manager (TSM) UNIX and Linux backup-archive clients, and one security vulnerability in the TSM for Space Management (HSM) UNIX and Linux clients, as described below.

Content

Two security vulnerabilities exist in the TSM UNIX and Linux backup-archive clients, and one security vulnerability exists in the HSM UNIX and Linux clients. Fixes are available (see tables below with the first fixing level for each vulnerability).

Note: the Macintosh backup-archive client is included in the UNIX backup-archive clients.

IBM's assessment of the base Common Vulnerability Scoring System (CVSS) scores for these vulnerabilities range between 6.6 and 6.8 for the backup-archive vulnerabilities, and 10 for the HSM client vulnerability.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the CVSS is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. For information on CVSS scores, please see www.first.org/cvss.

1. IC65491, UNIX and Linux backup-archive and API client TCA Local Buffer Overrun

A local buffer overrun vulnerability, which has the potential to crash the TSM client or to allow malicious code injection, exists in the TSM UNIX and Linux Trusted Communications Agent (TCA). The malicious code could, for example, allow a local unauthorized user (a user with a local account) to read, copy, alter, or delete files on the client machine.

All Windows and NetWare backup-archive and API clients and all 6.2 clients are unaffected.

CVSS base score: 6.8

Client Release Vulnerable UNIX and Linux Client Levels First Level with Fix within that Release for all affected clients
TSM 6.1 6.1.0.0 through 6.1.3.0
6.1.4*
TSM 5.5 5.5.0.0 through 5.5.2.7
5.5.3**
TSM 5.4 5.4.0.0 through 5.4.3.3
5.4.3.4
* = interim fixes 6.1.3.1 through 6.1.3.4 included the fix for all affected client platforms that were delivered with those interim fixes
** = interim fixes 5.5.2.10 and 5.5.2.12 provided fix the fix for all affected client platforms that were delivered with those interim fixes


2. IC66686 UNIX and Linux backup-archive client Unauthorized Access
An unauthorized access vulnerability, which could alllow a local unauthorized user (a user with a local account) to replace system files on the client with arbitrary content, exists in the TSM UNIX and Linux backup-archive clients.

All Windows and NetWare backup-archive clients are unaffected.

CVSS base score: 6.6

Client Release Vulnerable UNIX and Linux Client Levels First Level with Fix within that Release for all affected clients
TSM 6.2 6.2.0.0 through 6.2.1.1
TSM 6.1 6.1.0.0 through 6.1.3.4
6.1.4
TSM 5.5 5.5.0.0 through 5.5.2.12
5.5.3
TSM 5.4 5.4.0.0 through 5.4.3.3
5.4.3.4


3. IC69150, UNIX and Linux Space Management client remote script execution:
A remote script execution vulnerability, which has the the potential to allow unauthorized users (users with network access) to remotely exploit the vulnerability and execute commands, exists in the TSM UNIX and Linux HSM clients. The commands could, for example, allow the attacker to read, copy, alter, or delete files on the client machine.

All backup-archive clients, and the HSM for Windows clients, are unaffected by this vulnerability.

CVSS base score: 10

Client Release UNIX and Linux HSM Vulnerable Client Levels First Level with Fix within that Release for all affected clients
TSM 6.2 6.2.0.0 through 6.2.1.1
TSM 6.1 6.1.0.0 through 6.1.3.4
6.1.4
TSM 5.5 5.5.0.0 through 5.5.2.12
5.5.3
TSM 5.4 5.4.0.0 through 5.4.3.3
5.4.3.4


SOLUTION:
For all three vulnerabilities, install the TSM client packages that include the fix for the vulnerability for your TSM client release level. See the tables above for the first fixing level for each vulnerability. For releases still in support (6.2), click on that level number, which is a link to the download packages. Later levels within the release are cumulative and will also contain the fix. See this page for links to the latest fixpack and interim fix update packages for each release: http://www.ibm.com/support/docview.wss?uid=swg21239415.

ACKNOWLEDGEMENTS:
The UNIX and Linux TCA local buffer overrun vulnerability (IC65491) was reported to IBM by Kryptos Logic. The other vulnerabilities were determined internally by IBM.


Cross reference information
Segment Product Component Platform Version Edition
Storage Management Tivoli Storage Manager for Space Management AIX, HP-UX, Linux, Solaris 5.4, 5.5, 6.1, 6.2 Edition Independent

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Tivoli Storage Manager
Client

Software version:

5.4, 5.5, 6.1, 6.2

Operating system(s):

AIX, HP-UX, Linux, Macintosh, Solaris, z/OS

Reference #:

1454745

Modified date:

2010-12-14

Translate my page

Machine Translation

Content navigation