IBM Support

Security Bulletin: TSM Server CPU Utilization (CVE-2014-0963)

Security Bulletin


Summary

The IBM Tivoli Storage Manager (TSM) server and storage agent are affected by a problem related to the SSL implementation which, under very specific conditions, can cause CPU utilization to rapidly increase.

Vulnerability Details


CVE ID: CVE-2014-0963

DESCRIPTION:
TSM server and storage agent are affected by a problem with the handling of certain SSL messages. The TLS implementation can, under very specific conditions, cause CPU utilization to rapidly increase. The situation occurs only in a certain error case that causes a single thread to begin looping. If this happens multiple times, more threads will begin to loop and an increase in CPU utilization will be seen. This increase could ultimately result in CPU exhaustion and unresponsiveness of the Tivoli Storage Manager server and/or storage agent and other software running on the affected system.

This issue can affect the availability of the system, but does not impact system confidentiality or integrity. This vulnerability can be remotely exploited, authentication is not required and the exploit is moderately complex.

To determine if your systems are being affected by this issue, you can monitor the CPU utilization for Tivoli Storage Manager instances.

CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/92844 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C)

Affected Products and Versions

IBM Tivoli Storage Manager server release levels:

· 7.1.0 (all servers and storage agents)

· 6.3.0 through 6.3.4.30 (all servers)

· 6.3.3 through 6.3.4.30 (all storage agents)

· 6.2.0 through 6.2.6.0 (all servers)

· 6.1.0 through 6.1.5.xxx (AIX and Windows servers only)

· 5.5.0 through 5.5.7.xxx (AIX and Windows servers only)

Remediation/Fixes

IBM has provided patches for all affected versions. Follow the installation instructions included with the patch.

ProductAPARRemediation/First Fix
IBM Tivoli Storage Manager Server 7.1IT02298Please call IBM service, referencing APAR IT02298.
IBM Service will provide GSKIT installation files and install instructions to install GSKIT 8.0.14.43 ( or higher ).
A fix is also provided as part of level 7.1.1:
http://www.ibm.com/support/docview.wss?uid=swg24038353
Note: If you are your server or storage agent is on the HP-UX
platform, you should not call IBM service for GSKIT 8.0.14.43.
You should install 7.1.1 instead.
IBM Tivoli Storage Manager Server 6.3IT02298Please call IBM service, referencing APAR IT02298.
IBM Service will provide GSKIT installation files and install instructions to install GSKIT 8.0.14.43 ( or higher ).
A fix is also provided as part of level 6.3.5:
http://www.ibm.com/support/docview.wss?uid=swg24038158
IBM Tivoli Storage Manager Server 6.2IT02298Please call IBM service, referencing APAR IT02298.
IBM Service will provide GSKIT installation files and install instructions to install GSKIT 7.0.4.50 ( or higher ).
A fix will also be provided as part of level 6.2.7.
IBM Tivoli Storage Manager Server 6.1 and 5.5, on AIX and Windows only
Please note that IBM has previously announced End of Support for these versions, effective April 30, 2014.
IBM recommends using the Workaround specified below, or upgrading to a fixed, supported release

Workarounds and Mitigations

Method One) Monitor CPU utilization of your Tivoli Storage Manager server and/or storage agent instances. If utilization becomes abnormally high, stop and restart the affected instance.

Method Two) Disable the use of TLS in Tivoli Storage Manager. To do this, perform the following for every Server or Storage agent instance in your environment:

1. For every server, update the options file
( server - dsmserv.opt or storage agent - dsmsta.opt ), by commenting out the options
statement "SSLTCPPORT xxxx" and "SSLTCPADMINPORT xxxx".
Commenting out entails placing an asterisk at the beginning of the line
containing "SLTCPPORT" and/or "SSLTCPADMINPORT".
2. Ensure that a TCPPORT or TCPADMINPORT options statement is in the options file and
not commented out.
3. Update all server and storage agent definitions to use the TCP port rather than the SSL port
in each server and storage agent. For storage agents, you can re-define the setup by using
the dsmsta setstorageserver command and not using the SSL=YES parameter.
4. Update all client options files by commenting out the "SSL YES" option in their respective
dsm.sys files and/or options files. Note: A new level of the client is notrequired for this issue.
5. Stop and re-start all storage agents and servers. Then, stop and start all clients and client
schedulers that are using SSL as their communication methods.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

None

Change History

09 June 2014: Original Copy Published
11 June 2014: Indicated that new client is not necessary in Workarounds
07 October 2014: Indicated that 7.1.1 is available with the fix

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSGSG7","label":"Tivoli Storage Manager"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Server","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"5.5;6.1;6.2;6.3;6.4;7.1","Edition":"All Editions","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"SSAT9S","label":"IBM System Storage Archive Manager"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":" ","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"6.2;6.1.2;6.3;6.4;7.1","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"SSSQZW","label":"Tivoli Storage Manager for Storage Area Networks"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Not Applicable","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"6.3;7.1","Edition":"All Editions","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"SSSQWC","label":"Tivoli Storage Manager Extended Edition"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":null,"Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"5.5;6.1;6.1.2;6.2;6.3;6.4;7.1","Edition":"All Editions","Line of Business":{"code":"LOB26","label":"Storage"}}]

Document Information

Modified date:
17 June 2018

UID

swg21674825

Page Feedback