Security Bulletin
Summary
An unauthorized user could restore Domino database or transaction log backups created with Tivoli Storage Manager for Mail: Data Protection for Domino.
Vulnerability Details
CVEID: CVE-2014-6195
DESCRIPTION:
The restore of a Domino database or transaction log backup via the Tivoli Storage Manager for Mail: Data Protection for Domino Java GUI or Web GUI interface can proceed after an authentication failure. As a result, an unauthorized user could restore the Domino database or transaction log backups.
There is no simple query that can be performed to determine that this vulnerability has been exploited. The following things could be reviewed in order to help determine if exploitation has occurred:
- 1. The system or Domino administrator sees one or more Domino database and/or transaction log files that they did not expect on the system.
2. As the restore and database activation procedure would overwrite the current Domino database information, Domino users may notice "old" data in the Domino database.
3. A review of the domdsmc.log file would include restore processing messages for unplanned restore processing.
CVSS Base Score: 1.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/98607 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:N/I:P/A:N)
Affected Products and Versions
Tivoli Storage Manager for Mail: Data Protection for Domino 5.4, 5.5, 6.3, and 7.1
Note: There are not 6.1, 6.2 or 6.4 releases of this software.
Though this problem only manifests when using the Data Protection for Domino software, the associated defect (and subsequent fix) is located in the Tivoli Storage Manager (TSM) Client software which is a prerequisite to using Data Protection for Domino. Those affected TSM Backup-Archive Client releases are: 5.4, 5.5, 6.1, 6.2, 6.3, 6.4 and 7.1.
The TSM Backup-Archive Client is available via the following product offerings:
- IBM System Storage Archive Manager
Tivoli Storage Manager
Tivoli Storage Manager Extended Edition
Tivoli Storage Manager Entry
Tivoli Storage Manager Suite for Unified Recovery Entry
Tivoli Storage Manager Suite for Unified Recovery Entry - Front End
Tivoli Storage Manager Suite for Unified Recovery
Tivoli Storage Manager Suite for Unified Recovery - Archive Option
Tivoli Storage Manager Suite for Unified Recovery - Front End
Tivoli Storage Manager Suite for Unified Recovery - ProtecTier
Remediation/Fixes
The table below represents the TSM Backup-Archive Client releases, platforms, and fixing levels which can be used with the Data Protection for Domino software.
- Note: Data Protection for Domino requires the use of a TSM Backup-Archive Client at the same, or newer release level.
The APAR number associated with all fixes is: IT04249
| TSM Backup-Archive Client Release | Applicable Platforms | First Fixing Level (Client) | Remediation / Fix Availability Target |
| 7.1 | 64-bit AIX 64-bit Linux x86_64 64-bit Linux on Z Windows x86 Windows x64 | 7.1.1 | Download packages for Tivoli Storage Manager Backup-Archive Client 7.1.1 and READMEs have been removed from the web as they contain unremediated security vulnerabilities. The latest version of 7.1 (7.1.6) contains fixes for the most recent known security and product issues, and can be found using this link: http://www.ibm.com/support/docview.wss?uid=swg24042350 If you have any questions, please contact IBM support. |
| TSM Backup-Archive Client Release | Applicable Platforms | First Fixing Level (Client) | Remediation / Fix Availability Target |
| 6.4 | 64-bit AIX 64-bit Linux on Z Windows x86 Windows x64 | 6.4.2.1 | http://www.ibm.com/support/docview.wss?uid=swg24038504 |
| TSM Backup-Archive Client Release | Applicable Platforms | First Fixing Level (Client) | Remediation / Fix Availability Target |
| 6.3 | 64-bit AIX | 6.3.2.1* | ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/client/v6r3/AIX/BA/v632/ |
| 64-bit Linux on Z | 6.3.2.3* | ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/client/v6r3/Linux/LinuxzSeries/v632/ | |
| Windows x86 | 6.3.2.2* | ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/client/v6r3/Windows/x64/v632/ | |
| Windows x64 | 6.3.2.2* | ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/client/v6r3/Windows/x32/v632/ |
fix and should be used.
| TSM Backup-Archive Client Release | Applicable Platforms | First Fixing Level (Client) | Remediation / Fix Availability Target |
| 6.1 Note: This release is end of support. | 32-bit AIX | There is no fix available for this platform on this release. | Customers should update to fix level 6.2.5.3 or newer |
| 64-bit AIX | There is no fix available for this platform on this release. | Customers should update to fix level 6.2.5.3 or newer | |
| 32-bit Linux x86 | There is no fix available for this platform on this release. | Customers should update to fix level 6.2.5.3 or newer | |
| z/OS USS Client | 6.1.5.7 | This fix is contained in PTF numbers UI26801 (BA) and UI26802 (API). | |
| 32-bit Linux on Z | There is no fix available for this platform on this release. | Customers should use either 5.5.4.4 or update to fix level 6.2.5.4 or newer | |
| 64-bit Linux on Z | There is no fix available for this platform on this release. | Customers should update to fix level 6.2.5.4 or newer | |
| 32-bit Solaris SPARC | There is no fix available for this platform on this release. | Customers should update to fix level 6.2.5.4 or newer | |
| Windows x86 | There is no fix available for this platform on this release. | Customers should update to fix level 6.2.5.2 or newer | |
| Windows x64 | There is no fix available for this platform on this release. | Customers should update to fix level 6.2.5.2 or newer |
| TSM Backup-Archive Client Release | Applicable Platforms | First Fixing Level (Client) | Remediation / Fix Availability Target |
| 5.5 Note: This release is end of support. | 32-bit AIX | 5.5.4.4 | Customers with support extensions on 5.5 should contact IBM Support for the fix. |
| 32-bit Linux x86 | 5.5.4.4 | Customers with support extensions on 5.5 should contact IBM Support for the fix. | |
| 32-bit Linux on Z | 5.5.4.4 | Customers with support extensions on 5.5 should contact IBM Support for the fix. | |
| 32-bit Solaris SPARC | 5.5.4.4 | Customers with support extensions on 5.5 should contact IBM Support for the fix. | |
| Windows x86 | There is no fix available for this platform on this release. | Customers update to fix level 6.2.5.2 or newer | |
| Windows x64 | There is no fix available for this platform on this release. | Customers update to fix level 6.2.5.2 or newer | |
| z/OS USS Client | There is no fix available for this platform on this release. | Customers update to fix level 6.1.5.7 or newer |
| TSM Backup-Archive Client Release | Applicable Platforms | First Fixing Level (Client) | Remediation / Fix Availability Target |
| 5.4 Note: This release is end of support. | 32-bit AIX 32-bit Linux x86 32-bit Solaris SPARC Windows x86 Windows x64 z/OS USS Client | There is no fix available for this release. | Customers should implement the defined workaround. |
Workarounds and Mitigations
Configure web access, and access to the local machine, in such a manner that only trusted users are allowed to access the TSM Backup-Archive Client Java GUI and Web GUI interfaces.
Get Notified about Future Security Bulletins
References
Acknowledgement
None
Change History
11 February 2015: Original Copy Published
12 February 2015: Added link to 6.4.2.1 Linux zSeries
17 February 2015: Added links for 6.2.5.4 Linux zSeries and Solaris SPARC
02 April 2015: For the 5.5.4.4 rows, replaced the "target availability" statement with a new statement indicating to contact IBM Support in order to obtain the fi.
21 April 2015: For the 6.1.5.7 USS Client and API, replaced the target availability statement with a statement that the fix is contained in PTF numbers UI26801 (BA) and UI26802 (API).
16 January 2017: Fixed links to 7.1 and 6.4 interim fixes and noted that 6.3.2.1 through 6.3.2.5 have been removed from ftp and 6.3.2.6 should be used.
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
swg21695183