IBM Support

Security Bulletin: Vulnerabilities in OpenSSL affect the IBM Tivoli Storage Manager Client and IBM Tivoli Storage Manager for Virtual Environments: Data Protection for VMware (CVE-2015-0287)

Security Bulletin


Summary

OpenSSL vulnerabilities were disclosed on March 19, 2015 by the OpenSSL Project. OpenSSL, used by the Tivoli Storage Manager Client, has addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2015-0287
DESCRIPTION:
OpenSSL is vulnerable to a denial of service, caused by an error related to the reuse of a structure in ASN.1 parsing. An attacker could exploit this vulnerability using an invalid write to corrupt memory and cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101668 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Affected Products and Versions

This security exposure affects network connections between the Tivoli Storage Manager (IBM Spectrum Protect) Client and VMware services. This exposure affects:

  • Tivoli Storage Manager Client levels:
    - 7.1.0.0 through 7.1.3.x - VMware services with Linux x86 and Windows x64 clients
    - 7.1.0.0 through 7.1.6.2 - NetApp services with AIX, Linux x86, Windows x32, and Windows x64 clients
    - 6.4.0.0 through 6.4.3.1 - VMware services with Linux x86, Windows x32, and Windows x64 clients
    - 6.4.0.0 through 6.4.3.3 - NetApp services with AIX, Linux x86, Windows x32, and Windows x64 clients
    - 6.3 all levels
    - 6.2 all levels - TSM 6.2 is beyond End of Support
  • Tivoli Storage Manager for Virtual Environments: Data Protection for VMware levels:
    - 7.1.0.0 through 7.1.3.x - TSM Linux x86 and Windows x64 clients are shipped with 7.1 and are used as the data mover
    - 6.4 all levels when used with an affected TSM client data mover level
    - 6.3 all levels when used with an affected TSM client data mover level

Remediation/Fixes

Tivoli Storage Manager Client Release

Fixing VRM Level

Platform
Link to Fix / Fix Availability Target
7.17.1.4VMware
Linux x86
Windows x64
http://www.ibm.com/support/docview.wss?uid=swg24041076
7.17.1.6.3NetApp
AIX
Linux x86
Windows x32
Windows x64
http://www.ibm.com/support/docview.wss?uid=swg24042496
6.46.4.3.2VMware
Linux x86
Windows x64
http://www.ibm.com/support/docview.wss?uid=swg24041144
6.46.4.3.4NetApp
AIX
Linux x86
Windows x64
http://www.ibm.com/support/docview.wss?uid=swg24041144
6.4
VMware/NetApp
Windows x32
IBM recommends upgrading the machine to 64-bit and using the TSM 6.4 or 7.1 Windows x64 client with the 7.1 (7.1.4 or 7.1.6.3) or 6.4.(6.4.3.2/6.4.3.4) fix. Please refer to APAR IT13174 for more information about Windows x32 and VMware backups.
6.3 and 6.2

IBM recommends VMware/NetApp users upgrade to a fixed level of 7.1 (7.1.4 for VMware, 7.1.6.3 for NetApp) or 6.4 (6.4.3.2 for VMware, 6.4.3.4 for NetApp).

Tivoli Storage Manager for Virtual Environments: Data Protection for VMware ReleaseFixing VRM Level
Platform
Link to Fix / Fix Availability Target
7.17.1.4Linux x86
Windows x64
http://www.ibm.com/support/docview.wss?uid=swg24041094
6.4
Linux x86
Windows x64
Apply the TSM client fixing level (6.4.3.2)
6.4
Windows x32IBM recommends upgrading the machine to 64-bit and using the TSM 6.4 Windows x64 client with the 6.4.3.2 fix. Please refer to APAR IT13174 for more information about Windows x32 and Data Protection for VMware.
6.3

IBM recommends Tivioli Storage Manager for Virtual Environments: Data Protection for VMware 6.3 users upgrade to 6.4 and apply the TSM client fixing level (6.4.3.2) or upgrade to 7.1.4.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Off

Acknowledgement

None

Change History

01 February 2016: Original version published.
03 October 2016 - Updated with NetApp information
01 November 2016 - Updated with link to interim fix 6.4.3.4.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSGSG7","label":"Tivoli Storage Manager"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Client","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"6.2;6.3;6.4;7.1","Edition":"All Editions","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"SS8TDQ","label":"Tivoli Storage Manager for Virtual Environments"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"Data Protection for VMware","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"6.3;6.4;7.1","Edition":"All Editions","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"SSSQWC","label":"Tivoli Storage Manager Extended Edition"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Client","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"6.1;6.2;6.3;6.4;7.1","Edition":"All Editions","Line of Business":{"code":"LOB26","label":"Storage"}}]

Document Information

Modified date:
17 June 2018

UID

swg21975397