Date: 08 May 2009
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AA-2009.0110 AUSCERT Advisory
[Win][AIX]
IBM Tivoli Storage Manager client: Multiple Vulnerabilities
8 May 2009
- ---------------------------------------------------------------------------
AusCERT Advisory Summary
------------------------
Product: IBM Tivoli Storage Manager (TSM) client
Operating System: AIX
Windows
Impact: Execute Arbitrary Code/Commands
Access Confidential Data
Modify Arbitrary Files
Denial of Service
Inappropriate Access
Access: Remote/Unauthenticated
CVE Names: CVE-2008-4828 CVE-2009-1520 CVE-2009-1521
CVE-2009-1522
Member content until: Thursday, June 04 2009
Revision History: May 8 2009: CVE update
May 7 2009: Initial Release
OVERVIEW:
A number of vulnerabilities have been reported in IBM Tivoli Storage
Manager (TSM) client. The Web GUI, Java GUI and SSL are affected in
certain client releases.
IMPACT:
Two buffer overrun vulnerabilities in the Web GUI and the Java GUI can
lead to a Denial of Service for the TSM client agent or malicious code
injection in the IBM Tivoli Storage Manager (TSM) client 5.1.0.0
through 5.1.8.2, 5.2.0.0 through 5.2.5.3, 5.3.0.0 through 5.3.6.4,
5.4.0.0 through 5.4.2.6, and 5.5.0.0 through 5.5.1.17. [1]
An unauthorised access vulnerability in the client Java GUI could
allow an attacker to read, copy, modify or delete files on the client
5.2.0.0 through 5.2.5.3, 5.3.0.0 through 5.3.6.5, 5.4.0.0 through
5.4.2.6, and 5.5.0.0 through 5.5.1.17, and the TSM Express client
5.3.3.0 through 5.3.6.5. [1]
The TSM client 5.5.0.0 through 5.5.1.17 on AIX and Windows is
vulnerable to man-in-the-middle attacks when SSL is used. [1]
MITIGATION:
Links to the updated packages are available on the vendor's website.
[1]
REFERENCES:
[1] Security fixes for the IBM Tivoli Storage Manager (TSM) client
http://www-01.ibm.com/support/docview.wss?uid=swg21384389
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFKA2EYNVH5XJJInbgRAl9QAJ9S4ct7IN2O1otmBTsckSAKPo6k2QCfcU3c
8KGN9xQ0MvQZN0/5X1YunvA=
=e8N3
-----END PGP SIGNATURE-----
|