Flashes (Alerts)
Abstract
Unauthorized access exposure in the IBM Tivoli Storage Manager server.
Content
VULNERABILITY DETAILS:
CVEID: CVE-2012-5944
DESCRIPTION:
For systems with multiple users, where individual users are given authorization to perform client operations to the server, it is possible that a user can obtain access to the data stored on the server for other users on the same system that have data stored on the server under the same node. This can result in unauthorized access, data integrity and data loss issues with respect to certain node data.
CVSS Base Score: 4.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/80539 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P)
AFFECTED PRODUCTS AND VERSION:
IBM Tivoli Storage Manager versions:
· 6.3.0 through 6.3.3.xxx
· 6.2.0 through 6.2.4.xxx
· 6.1.0 through 6.1.5.2xx
· 5.5.0 through 5.5.6.xxx
· 5.4, which is no longer supported, and prior unsupported releases
· Note: the 7.1 release is unaffected
REMEDIATION:
The recommended solution is to apply the fixes as soon as practical. Please see below for information on the fixes available and the links where the fixes can be downloaded.
| Product | VRMF | APAR | Remediation/First Fix |
| IBM Tivoli Storage Manager server | 6.3.4.0 | IC82487 | http://www-01.ibm.com/support/docview.wss?uid=swg24035192 |
| IBM Tivoli Storage Manager server | 6.2.5.0 | IC82487 | |
| IBM Tivoli Storage Manager server | 6.1.5.300 | IC82487 | |
| IBM Tivoli Storage Manager server | 5.5.7.0 | IC82487 | |
| IBM Tivoli Storage Manager server | All earlier versions. | None | IBM recommends using the Workaround specified below, or upgrading to a fixed, supported release |
Workaround(s) & Mitigation(s):
Remove the ability for users on a multi user system to access the IBM Tivoli Storage Manager server without having to supply the node password.
Important note: IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.
REFERENCES:
· Complete CVSS Guide
· On-line Calculator V2
RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
ACKNOWLEDGEMENT
None
CHANGE HISTORY
<12 November 2013>: Original Copy Published
<5 December 2013>: Changed CVSS Base Score from 3.6 to 4.6, and CVSS Vector from (AV:L/AC:L/Au:N/C:P/I:P/A:N) to (AV:L/AC:L/Au:N/C:P/I:P/A:P)
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Was this topic helpful?
Document Information
Modified date:
25 September 2022
UID
swg21657726