IBM Support

Security Bulletin: Data Protection for Domino GUI Interface Authentication Vulnerability (CVE-2014-6195)

Security Bulletin


Summary

An unauthorized user could restore Domino database or transaction log backups created with Tivoli Storage Manager for Mail: Data Protection for Domino.

Vulnerability Details

CVEID: CVE-2014-6195

DESCRIPTION:



The restore of a Domino database or transaction log backup via the Tivoli Storage Manager for Mail: Data Protection for Domino Java GUI or Web GUI interface can proceed after an authentication failure. As a result, an unauthorized user could restore the Domino database or transaction log backups.

There is no simple query that can be performed to determine that this vulnerability has been exploited. The following things could be reviewed in order to help determine if exploitation has occurred:
    1. The system or Domino administrator sees one or more Domino database and/or transaction log files that they did not expect on the system.
    2. As the restore and database activation procedure would overwrite the current Domino database information, Domino users may notice "old" data in the Domino database.
    3. A review of the domdsmc.log file would include restore processing messages for unplanned restore processing.


CVSS Base Score: 1.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/98607 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:N/I:P/A:N)


Affected Products and Versions

Tivoli Storage Manager for Mail: Data Protection for Domino 5.4, 5.5, 6.3, and 7.1


    Note: There are not 6.1, 6.2 or 6.4 releases of this software.

Though this problem only manifests when using the Data Protection for Domino software, the associated defect (and subsequent fix) is located in the Tivoli Storage Manager (TSM) Client software which is a prerequisite to using Data Protection for Domino. Those affected TSM Backup-Archive Client releases are: 5.4, 5.5, 6.1, 6.2, 6.3, 6.4 and 7.1.

The TSM Backup-Archive Client is available via the following product offerings:
    IBM System Storage Archive Manager

    Tivoli Storage Manager
    Tivoli Storage Manager Extended Edition

    Tivoli Storage Manager Entry

    Tivoli Storage Manager Suite for Unified Recovery Entry
    Tivoli Storage Manager Suite for Unified Recovery Entry - Front End

    Tivoli Storage Manager Suite for Unified Recovery
    Tivoli Storage Manager Suite for Unified Recovery - Archive Option
    Tivoli Storage Manager Suite for Unified Recovery - Front End
    Tivoli Storage Manager Suite for Unified Recovery - ProtecTier

Remediation/Fixes

The table below represents the TSM Backup-Archive Client releases, platforms, and fixing levels which can be used with the Data Protection for Domino software.

    Note: Data Protection for Domino requires the use of a TSM Backup-Archive Client at the same, or newer release level.

The APAR number associated with all fixes is: IT04249


TSM Backup-Archive
Client Release
Applicable PlatformsFirst Fixing Level (Client)Remediation / Fix Availability Target
7.164-bit AIX
64-bit Linux x86_64
64-bit Linux on Z
Windows x86
Windows x64
7.1.1Download packages for Tivoli Storage Manager Backup-Archive Client 7.1.1 and READMEs have been removed from the web as they contain unremediated security vulnerabilities. The latest version of 7.1 (7.1.6) contains fixes for the most recent known security and product issues, and can be found using this link:
http://www.ibm.com/support/docview.wss?uid=swg24042350
If you have any questions, please contact IBM support.


TSM Backup-Archive
Client Release
Applicable PlatformsFirst Fixing Level (Client)Remediation / Fix Availability Target
6.464-bit AIX
64-bit Linux on Z
Windows x86
Windows x64
6.4.2.1http://www.ibm.com/support/docview.wss?uid=swg24038504


TSM Backup-Archive
Client Release
Applicable PlatformsFirst Fixing
Level (Client)
Remediation / Fix Availability Target
6.364-bit AIX6.3.2.1*ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/client/v6r3/AIX/BA/v632/
64-bit Linux on Z6.3.2.3*ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/client/v6r3/Linux/LinuxzSeries/v632/
Windows x866.3.2.2*ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/client/v6r3/Windows/x64/v632/
Windows x646.3.2.2*ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/client/v6r3/Windows/x32/v632/
*Note that interim fixes 6.3.2.1 through 6.3.2.5 were removed from ftp. The latest interim fix (6.3.2.6) includes this security
fix and should be used.

TSM Backup-Archive
Client Release
Applicable PlatformsFirst Fixing
Level (Client)
Remediation / Fix Availability Target
6.2

Note: The end of support for this release is April 30, 2015.
32-bit AIX6.2.5.3ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/client/v6r2/AIX/AIX32bit/v625/
64-bit AIX6.2.5.3ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/client/v6r2/AIX/AIX64bit/v625/
32-bit Linux x866.2.5.3ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/client/v6r2/Linux/LinuxX86/v625/
64-bit Linux on Z6.2.5.4ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/client/v6r2/Linux/LinuxzSeries/v625/
32-bit Solaris SPARC6.2.5.4ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/client/v6r2/Solaris/SPARC/v625/
Windows x866.2.5.2ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/client/v6r2/Windows/x32/v625/
Windows x646.2.5.2ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/client/v6r2/Windows/x64/v625/

TSM Backup-Archive
Client Release
Applicable PlatformsFirst Fixing
Level (Client)
Remediation / Fix Availability Target
6.1

Note: This release is end of support.
32-bit AIXThere is no fix available for this platform on this release.Customers should update to fix level 6.2.5.3 or newer
64-bit AIXThere is no fix available for this platform on this release.Customers should update to fix level 6.2.5.3 or newer
32-bit Linux x86There is no fix available for this platform on this release.Customers should update to fix level 6.2.5.3 or newer
z/OS USS Client6.1.5.7This fix is contained in PTF numbers UI26801 (BA) and UI26802 (API).
32-bit Linux on ZThere is no fix available for this platform on this release.Customers should use either 5.5.4.4 or update to fix level 6.2.5.4 or newer
64-bit Linux on ZThere is no fix available for this platform on this release.Customers should update to fix level 6.2.5.4 or newer
32-bit Solaris SPARCThere is no fix available for this platform on this release.Customers should update to fix level 6.2.5.4 or newer
Windows x86There is no fix available for this platform on this release.Customers should update to fix level 6.2.5.2 or newer
Windows x64There is no fix available for this platform on this release.Customers should update to fix level 6.2.5.2 or newer

TSM Backup-Archive
Client Release
Applicable PlatformsFirst Fixing
Level (Client)
Remediation / Fix Availability Target
5.5

Note: This release is end of support.
32-bit AIX5.5.4.4Customers with support extensions on 5.5 should contact IBM Support for the fix.
32-bit Linux x865.5.4.4Customers with support extensions on 5.5 should contact IBM Support for the fix.
32-bit Linux on Z5.5.4.4Customers with support extensions on 5.5 should contact IBM Support for the fix.
32-bit Solaris SPARC5.5.4.4Customers with support extensions on 5.5 should contact IBM Support for the fix.
Windows x86There is no fix available for this platform on this release.Customers update to fix level 6.2.5.2 or newer
Windows x64There is no fix available for this platform on this release.Customers update to fix level 6.2.5.2 or newer
z/OS USS ClientThere is no fix available for this platform on this release.Customers update to fix level 6.1.5.7 or newer

TSM Backup-Archive
Client Release
Applicable PlatformsFirst Fixing
Level (Client)
Remediation / Fix Availability Target
5.4

Note: This release is end of support.
32-bit AIX
32-bit Linux x86
32-bit Solaris SPARC
Windows x86
Windows x64
z/OS USS Client
There is no fix available for this release.Customers should implement the defined workaround.

Workarounds and Mitigations

Configure web access, and access to the local machine, in such a manner that only trusted users are allowed to access the TSM Backup-Archive Client Java GUI and Web GUI interfaces.

Get Notified about Future Security Bulletins

References

Off

Acknowledgement

None

Change History


11 February 2015:  Original Copy Published
12 February 2015: Added link to 6.4.2.1 Linux zSeries
17 February 2015: Added links for 6.2.5.4 Linux zSeries and Solaris SPARC
02 April 2015: For the 5.5.4.4 rows, replaced the "target availability" statement with a new statement indicating to contact IBM Support in order to obtain the fi.
21 April 2015: For the 6.1.5.7 USS Client and API, replaced the target availability statement with a statement that the fix is contained in PTF numbers UI26801 (BA) and UI26802 (API).
16 January 2017: Fixed links to 7.1 and 6.4 interim fixes and noted that 6.3.2.1 through 6.3.2.5 have been removed from ftp and 6.3.2.6 should be used.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{"Product":{"code":"SSTG2D","label":"Tivoli Storage Manager for Mail"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"Data Protection for Lotus Domino","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"5.4;5.5;6.1;6.3;7.1","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]

Document Information

Modified date:
17 June 2018

UID

swg21695183