IBM Support

Security Bulletin: Tivoli Storage Manager Server Certificate Chaining Vulnerability (CVE-2013-6747 )

Security Bulletin


Summary

A certificate chain presented by a Client or Server could contain a circular reference that will cause the chain building logic to loop, crash or hang.

Vulnerability Details


CVE ID: CVE-2013-6747

DESCRIPTION:
A certificate chain presented by a Client or Server could contain a circular reference that will cause the chain building logic to loop which can lead to a segv crash or hang due to memory exhaustion.

CVSS Base Score: 7.1

CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/89863 for the current score

CVSS Environmental Score*: Undefined

CVSS Vector:(AV/N:AC/M:Au/N:C/N:I/N:A/C)

Affected Products and Versions

IBM Tivoli Storage Manager server release levels:

· 7.1.0 (all servers and storage agents)

· 6.3.0 through 6.3.4.30 (all servers)

· 6.3.3 through 6.3.4.30 (all storage agents)

· 6.2.0 through 6.2.6.0 (all servers)

· 6.1.0 through 6.1.5.xxx (AIX and Windows servers only)

· 5.5.0 through 5.5.7.xxx (AIX and Windows servers only)

Remediation/Fixes

The recommended solution is to apply the fixes as soon as practical. Please see below for information on the fixes available and the links where the fixes can be downloaded.

ProductAPARRemediation/First Fix
IBM Tivoli Storage Manager Server 7.1IT02298Please call IBM service, referencing APAR IT02298.
IBM Service will provide GSKIT installation files and install instructions to install GSKIT 8.0.14.43 ( or higher ).
A fix will also be provided as part of level 7.1.1.
IBM Tivoli Storage Manager Server 6.3IT02298Please call IBM service, referencing APAR IT02298.
IBM Service will provide GSKIT installation files and install instructions to install GSKIT 8.0.14.43 ( or higher ).
A fix will also be provided as part of level 6.3.5.
IBM Tivoli Storage Manager Server 6.2IT02298Please call IBM service, referencing APAR IT02298.
IBM Service will provide GSKIT installation files and install instructions to install GSKIT 7.0.4.50 ( or higher ).
A fix will also be provided as part of level 6.2.7.
IBM Tivoli Storage Manager Server 6.1 and 5.5, on AIX and Windows only
Please note that IBM has previously announced End of Support for these versions, effective April 30, 2014.
IBM recommends using the Workaround specified below, or upgrading to a fixed, supported release

Workarounds and Mitigations

Remove the ability for users to use SSL sessions by changing the server and/or storage agent option files to remove the SSL communication options

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

None

Change History

<09 June 2014>: Original Copy Published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSGSG7","label":"Tivoli Storage Manager"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Server","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"5.5;6.1;6.2;6.3;6.4;7.1","Edition":"All Editions","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"SSSQZW","label":"Tivoli Storage Manager for Storage Area Networks"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":" ","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"6.2;6.1;5.5;6.3;7.1","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"SSAT9S","label":"IBM System Storage Archive Manager"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":" ","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"6.2;6.1.2;6.3;6.4;7.1","Edition":"All Editions","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"SSSQWC","label":"Tivoli Storage Manager Extended Edition"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":null,"Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"6.3;6.4;7.1","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]

Document Information

Modified date:
17 June 2018

UID

swg21674824

Page Feedback