IBM Support

Security Bulletin: Vulnerabilities in OpenSSL affect the IBM Tivoli Storage Manager Client and IBM Tivoli Storage Manager for Virtual Environments: Data Protection for VMware (CVE-2015-0287)

Security Bulletin


Summary

OpenSSL vulnerabilities were disclosed on March 19, 2015 by the OpenSSL Project. OpenSSL, used by the Tivoli Storage Manager Client, has addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2015-0287
DESCRIPTION:
OpenSSL is vulnerable to a denial of service, caused by an error related to the reuse of a structure in ASN.1 parsing. An attacker could exploit this vulnerability using an invalid write to corrupt memory and cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101668 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Affected Products and Versions

This security exposure affects network connections between the Tivoli Storage Manager (IBM Spectrum Protect) Client and VMware services. This exposure affects:

  • Tivoli Storage Manager Client levels:
    - 7.1.0.0 through 7.1.3.x - VMware services with Linux x86 and Windows x64 clients
    - 7.1.0.0 through 7.1.6.2 - NetApp services with AIX, Linux x86, Windows x32, and Windows x64 clients
    - 6.4.0.0 through 6.4.3.1 - VMware services with Linux x86, Windows x32, and Windows x64 clients
    - 6.4.0.0 through 6.4.3.3 - NetApp services with AIX, Linux x86, Windows x32, and Windows x64 clients
    - 6.3 all levels
    - 6.2 all levels - TSM 6.2 is beyond End of Support
  • Tivoli Storage Manager for Virtual Environments: Data Protection for VMware levels:
    - 7.1.0.0 through 7.1.3.x - TSM Linux x86 and Windows x64 clients are shipped with 7.1 and are used as the data mover
    - 6.4 all levels when used with an affected TSM client data mover level
    - 6.3 all levels when used with an affected TSM client data mover level

Remediation/Fixes

Tivoli Storage Manager Client Release Fixing VRM Level

Platform
Link to Fix / Fix Availability Target
7.1 7.1.4 VMware
Linux x86
Windows x64
http://www.ibm.com/support/docview.wss?uid=swg24041076
7.1 7.1.6.3 NetApp
AIX
Linux x86
Windows x32
Windows x64
http://www.ibm.com/support/docview.wss?uid=swg24042496
6.4 6.4.3.2 VMware
Linux x86
Windows x64
http://www.ibm.com/support/docview.wss?uid=swg24041144
6.4 6.4.3.4 NetApp
AIX
Linux x86
Windows x64
http://www.ibm.com/support/docview.wss?uid=swg24041144
6.4 VMware/NetApp
Windows x32
IBM recommends upgrading the machine to 64-bit and using the TSM 6.4 or 7.1 Windows x64 client with the 7.1 (7.1.4 or 7.1.6.3) or 6.4.(6.4.3.2/6.4.3.4) fix. Please refer to APAR IT13174 for more information about Windows x32 and VMware backups.
6.3 and 6.2 IBM recommends VMware/NetApp users upgrade to a fixed level of 7.1 (7.1.4 for VMware, 7.1.6.3 for NetApp) or 6.4 (6.4.3.2 for VMware, 6.4.3.4 for NetApp).

Tivoli Storage Manager for Virtual Environments: Data Protection for VMware Release Fixing VRM Level
Platform
Link to Fix / Fix Availability Target
7.1 7.1.4 Linux x86
Windows x64
http://www.ibm.com/support/docview.wss?uid=swg24041094
6.4 Linux x86
Windows x64
Apply the TSM client fixing level (6.4.3.2)
6.4 Windows x32 IBM recommends upgrading the machine to 64-bit and using the TSM 6.4 Windows x64 client with the 6.4.3.2 fix. Please refer to APAR IT13174 for more information about Windows x32 and Data Protection for VMware.
6.3 IBM recommends Tivioli Storage Manager for Virtual Environments: Data Protection for VMware 6.3 users upgrade to 6.4 and apply the TSM client fixing level (6.4.3.2) or upgrade to 7.1.4.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Related information

Acknowledgement

None

Change History

01 February 2016: Original version published.
03 October 2016 - Updated with NetApp information
01 November 2016 - Updated with link to interim fix 6.4.3.4.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


Cross reference information
Segment Product Component Platform Version Edition
Storage Management Tivoli Storage Manager for Virtual Environments Data Protection for VMware Linux, Windows 6.3, 6.4, 7.1 All Editions
Storage Management Tivoli Storage Manager Extended Edition Client AIX, Linux, Windows 6.1, 6.2, 6.3, 6.4, 7.1 All Editions

Document information

More support for: Tivoli Storage Manager
Client

Software version: 6.2, 6.3, 6.4, 7.1

Operating system(s): AIX, Linux, Windows

Software edition: All Editions

Reference #: 1975397

Modified date: 01 November 2016


Translate this page: