Security Bulletin
Summary
OpenSSL vulnerabilities were disclosed on March 19, 2015 by the OpenSSL Project. OpenSSL, used by the Tivoli Storage Manager Client, has addressed the applicable CVEs.
Vulnerability Details
CVEID: CVE-2015-0287
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an error related to the reuse of a structure in ASN.1 parsing. An attacker could exploit this vulnerability using an invalid write to corrupt memory and cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101668 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Affected Products and Versions
This security exposure affects network connections between the Tivoli Storage Manager (IBM Spectrum Protect) Client and VMware services. This exposure affects:
- Tivoli Storage Manager Client levels:
- 7.1.0.0 through 7.1.3.x - VMware services with Linux x86 and Windows x64 clients
- 7.1.0.0 through 7.1.6.2 - NetApp services with AIX, Linux x86, Windows x32, and Windows x64 clients
- 6.4.0.0 through 6.4.3.1 - VMware services with Linux x86, Windows x32, and Windows x64 clients
- 6.4.0.0 through 6.4.3.3 - NetApp services with AIX, Linux x86, Windows x32, and Windows x64 clients
- 6.3 all levels
- 6.2 all levels - TSM 6.2 is beyond End of Support - Tivoli Storage Manager for Virtual Environments: Data Protection for VMware levels:
- 7.1.0.0 through 7.1.3.x - TSM Linux x86 and Windows x64 clients are shipped with 7.1 and are used as the data mover
- 6.4 all levels when used with an affected TSM client data mover level
- 6.3 all levels when used with an affected TSM client data mover level
Remediation/Fixes
Tivoli Storage Manager Client Release | Fixing VRM Level | Platform | Link to Fix / Fix Availability Target |
7.1 | 7.1.4 | VMware Linux x86 Windows x64 | http://www.ibm.com/support/docview.wss?uid=swg24041076 |
7.1 | 7.1.6.3 | NetApp AIX Linux x86 Windows x32 Windows x64 | http://www.ibm.com/support/docview.wss?uid=swg24042496 |
6.4 | 6.4.3.2 | VMware Linux x86 Windows x64 | http://www.ibm.com/support/docview.wss?uid=swg24041144 |
6.4 | 6.4.3.4 | NetApp AIX Linux x86 Windows x64 | http://www.ibm.com/support/docview.wss?uid=swg24041144 |
6.4 | VMware/NetApp Windows x32 | IBM recommends upgrading the machine to 64-bit and using the TSM 6.4 or 7.1 Windows x64 client with the 7.1 (7.1.4 or 7.1.6.3) or 6.4.(6.4.3.2/6.4.3.4) fix. Please refer to APAR IT13174 for more information about Windows x32 and VMware backups. | |
6.3 and 6.2 | IBM recommends VMware/NetApp users upgrade to a fixed level of 7.1 (7.1.4 for VMware, 7.1.6.3 for NetApp) or 6.4 (6.4.3.2 for VMware, 6.4.3.4 for NetApp). |
Tivoli Storage Manager for Virtual Environments: Data Protection for VMware Release | Fixing VRM Level | Platform | Link to Fix / Fix Availability Target |
7.1 | 7.1.4 | Linux x86 Windows x64 | http://www.ibm.com/support/docview.wss?uid=swg24041094 |
6.4 | Linux x86 Windows x64 | Apply the TSM client fixing level (6.4.3.2) | |
6.4 | Windows x32 | IBM recommends upgrading the machine to 64-bit and using the TSM 6.4 Windows x64 client with the 6.4.3.2 fix. Please refer to APAR IT13174 for more information about Windows x32 and Data Protection for VMware. | |
6.3 | IBM recommends Tivioli Storage Manager for Virtual Environments: Data Protection for VMware 6.3 users upgrade to 6.4 and apply the TSM client fixing level (6.4.3.2) or upgrade to 7.1.4. |
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Acknowledgement
None
Change History
01 February 2016: Original version published.
03 October 2016 - Updated with NetApp information
01 November 2016 - Updated with link to interim fix 6.4.3.4.
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
swg21975397