IBM Support

Security Bulletin: Tivoli Storage Productivity Center is affected by vulnerabilities in OpenSSL (CVE-2014-3513, CVE-2014-3567, CVE-2014-3568)

Created by Dan Bajema on

Security Bulletin


Summary

OpenSSL vulnerabilities were disclosed on October 15, 2014 by the OpenSSL Project. OpenSSL is used by Tivoli Storage Productivity Center. Tivoli Storage Productivity Center has addressed the applicable CVEs.

Vulnerability Details

CVE-ID: CVE-2014-3513

DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a memory leak in the DTLS Secure Real-time Transport Protocol (SRTP) extension parsing code. By sending multiple specially-crafted handshake messages, an attacker could exploit this vulnerability to exhaust all available memory of an SSL/TLS or DTLS server.

CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97035
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVE-ID: CVE-2014-3567

DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a memory leak when handling failed session ticket integrity checks. By sending an overly large number of invalid session tickets, an attacker could exploit this vulnerability to exhaust all available memory of an SSL/TLS or DTLS server.

CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97036
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVE-ID: CVE-2014-3568

DESCRIPTION: OpenSSL could allow a remote attacker bypass security restrictions. When configured with "no-ssl3" as a build option, servers could accept and complete a SSL 3.0 handshake. An attacker could exploit this vulnerability to perform unauthorized actions.

CVSS Base Score: 2.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97037
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

Tivoli Storage Productivity Center 5.2.0 through 5.2.4.1
Tivoli Storage Productivity Center 5.1.0 through 5.1.1.5
Tivoli Storage Productivity Center 4.2.0 through 4.2.2.184
Tivoli Storage Productivity Center 4.1.x

The versions listed above apply to all licensed offerings of Tivoli Storage Productivity Center, including IBM SmartCloud Virtual Storage Center Storage Analytics Engine.

System Storage Productivity Center is affected if it has one of the Tivoli Storage Productivity Center versions listed above installed on it.

Remediation/Fixes

Note: It is always recommended to have a current backup before applying any update procedure.

Tivoli Storage Productivity Center V5
Apply the Tivoli Storage Productivity Center fix maintenance as soon as practicable. (See Latest Downloads.)

Affected TPC VersionAPARFixed TPC VersionAvailability
5.2.xIT073145.2.5March 2015
5.1.xIT073145.1.1.6March 2015
After upgrading the Tivoli Storage Productivity Center server to the fixed version, you must also upgrade your Storage Resource agents. In the Tivoli Storage Productivity Center GUI, all existing agents will be marked as "Upgrade needed". Follow the normal Storage Resource agent upgrade procedure, as documented in the Knowlege Center, to deploy the new compliant Storage Resource agents. Once the Storage Resource agents have been upgraded, they will resume showing their running state, i.e. "Up".

Tivoli Storage Productivity Center V4
Apply the Tivoli Storage Productivity Center fix pack as soon as practicable (See Latest Downloads.) and follow the manual steps provided.
Affected TPC VersionAPARFixed TPC VersionAvailability
4.2.xIT073184.2.2 FP8
(4.2.2.191)		March 2015
After upgrading the Tivoli Storage Productivity Center server to the fixed version, you must also upgrade your Storage Resource agents. In the Tivoli Storage Productivity Center GUI, all existing agents will be marked as "Upgrade needed". Follow the normal Storage Resource agent upgrade procedure, as documented in the Knowledge Center, to deploy the new compliant Storage Resource agents. Once the Storage Resource agents have been upgraded, they will resume showing their running state, i.e. "Up".

Note: For Tivoli Storage Productivity Center 4.1.x, IBM recommends upgrading to a fixed, supported release of the product.

Workarounds and Mitigations

If you cannot apply the fix provided, you can mitigate exposure in Tivoli Storage Productivity Center by removing all connections to XIV storage subsystems and shutting down the Storage Resource Agents

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

13 March 2015: Original Copy Published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SS5R93","label":"IBM Spectrum Control"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"5.1;5.1.1;5.2;5.2.1;5.2.2;5.2.3;5.2.4","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"SS5R93","label":"IBM Spectrum Control"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"4.1;4.1.1;4.2;4.2.1;4.2.2","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]

Document Information

Modified date:
19 August 2022

UID

swg21694996

Page Feedback