Security Bulletin
Summary
A certificate chain presented by a Client or Server could contain a circular reference that will cause the chain building logic to loop, crash or hang.
Vulnerability Details
CVE ID: CVE-2013-6747
DESCRIPTION:
A certificate chain presented by a Client or Server could contain a circular reference that will cause the chain building logic to loop which can lead to a segv crash or hang due to memory exhaustion.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/89863 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector:(AV/N:AC/M:Au/N:C/N:I/N:A/C)
Affected Products and Versions
IBM Tivoli Storage Manager server release levels:
· 7.1.0 (all servers and storage agents)
· 6.3.0 through 6.3.4.30 (all servers)
· 6.3.3 through 6.3.4.30 (all storage agents)
· 6.2.0 through 6.2.6.0 (all servers)
· 6.1.0 through 6.1.5.xxx (AIX and Windows servers only)
· 5.5.0 through 5.5.7.xxx (AIX and Windows servers only)
Remediation/Fixes
The recommended solution is to apply the fixes as soon as practical. Please see below for information on the fixes available and the links where the fixes can be downloaded.
Product | APAR | Remediation/First Fix |
IBM Tivoli Storage Manager Server 7.1 | IT02298 | Please call IBM service, referencing APAR IT02298. IBM Service will provide GSKIT installation files and install instructions to install GSKIT 8.0.14.43 ( or higher ). A fix will also be provided as part of level 7.1.1. |
IBM Tivoli Storage Manager Server 6.3 | IT02298 | Please call IBM service, referencing APAR IT02298. IBM Service will provide GSKIT installation files and install instructions to install GSKIT 8.0.14.43 ( or higher ). A fix will also be provided as part of level 6.3.5. |
IBM Tivoli Storage Manager Server 6.2 | IT02298 | Please call IBM service, referencing APAR IT02298. IBM Service will provide GSKIT installation files and install instructions to install GSKIT 7.0.4.50 ( or higher ). A fix will also be provided as part of level 6.2.7. |
IBM Tivoli Storage Manager Server 6.1 and 5.5, on AIX and Windows only | Please note that IBM has previously announced End of Support for these versions, effective April 30, 2014. IBM recommends using the Workaround specified below, or upgrading to a fixed, supported release |
Workarounds and Mitigations
Remove the ability for users to use SSL sessions by changing the server and/or storage agent option files to remove the SSL communication options
Get Notified about Future Security Bulletins
References
Acknowledgement
None
Change History
<09 June 2014>: Original Copy Published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
swg21674824