-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.0158
        A number of vulnerabilities have been found within the IBM
                       Tivoli Storage Manager Client
                              5 February 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM TSM Client Web GUI
                   IBM TSM Client Scheduler
Publisher:         IBM
Operating System:  Windows
                   HP-UX
                   Linux variants
                   OS X
                   Solaris
                   AIX
Impact/Access:     Denial of Service   -- Remote/Unauthenticated
                   Unauthorised Access -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-0472 CVE-2013-0471 

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21624118
   http://www-01.ibm.com/support/docview.wss?uid=swg24034276

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: TSM Client Web GUI Unauthorized Access Vulnerability 
(CVE-2013-0472)

Flash (Alert)

Document information

Tivoli Storage Manager

Client

Software version: 6.3, 6.4

Operating system(s): AIX, HP-UX, Linux, Macintosh, Solaris, Windows

Reference #: 1624118

Modified date: 2013-01-31

Abstract

An unauthorized access vulnerability exists in the IBM Tivoli Storage Manager
(TSM) client Web GUI Content

DESCRIPTION:

A vulnerability in the TSM client Web GUI allows unauthorized access from the
local network to files stored on the TSM server.

CVEID: CVE-2013-0472 
CVSS Base Score: 5.1 
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81216 for the 
current score CVSS 
Environmental Score*: Undefined 
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:P)

AFFECTED PRODUCTS AND VERSIONS:

TSM Client 6.4.0.0
TSM Client 6.3.0.x

REMEDIATION:

TSM	First Fixing	Client	APAR 	Link to fix 
Release	VRMF Level	Platform		
6.4 	6.4.0.1 	All 	IC87210 http://www.ibm.com/support/docview.wss?uid=swg24034276 
6.3 	6.3.1.0 	All 	IC87210 http://www.ibm.com/support/docview.wss?uid=swg24034109

Workaround(s): None

Mitigation(s): None

REFERENCES:

Complete CVSS Guide http://www.first.org/cvss/cvss-guide.html
On-line Calculator V2 http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
CVE-2013-0472 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0472
X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81216

RELATED INFORMATION: 

IBM Secure Engineering Web Portal 
https://www-304.ibm.com/jct03001c/security/secure-engineering/
IBM Product Security Incident Response Blog
https://www.ibm.com/blogs/PSIRT

ACKNOWLEDGEMENT: 
None

CHANGE HISTORY
31 January 2013: Original Copy Published

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the 
Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard 
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY 
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT 
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY

Cross reference information 
Segment			Product			Component 	Platform		Version		 Edition
Storage Management 	Tivoli Storage Manager  Client 		AIX, HP-UX,Linux,	6.3, 6.4 
			Extended Edition			Solaris, Windows,
								Mac OS
Storage Management 	IBM System Storage						6.3, 6.4 
			Archive Manager 
Storage Management	Tivoli Storage Manager			AIX, Linux 		6.3, 6.4 
			for Space Management 

- -----------------------------------------------------------------------------

Security Bulletin: TSM Client Scheduler Denial Of Service Vulnerability 
(CVE-2013-0471)

Flash (Alert)

Document information

Tivoli Storage Manager

Client

Software version: 5.5, 6.1, 6.2, 6.3, 6.4

Operating system(s): All Platforms

Reference #: 1624135

Modified date: 2013-01-31

Abstract

A Denial of Service vulnerability exists in the IBM Tivoli Storage Manager 
(TSM) client traditional scheduler Content

DESCRIPTION: A Denial of Service vulnerability in the TSM client traditional 
scheduler allows a remote attacker to disable the traditional scheduler when 
it is in Prompted mode (SCHEDMODE=PROMPTED). Once disabled, no more schedules
(such as scheduled backups) will be run, and the TSM server log will show that
schedules for that node are missed.

CVEID: CVE-2013-0471 
CVSS Base Score: 4.3 
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81215 for the 
current score CVSS 
Environmental Score*: Undefined 
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

AFFECTED PRODUCTS AND VERSIONS:

TSM Client 6.4.0.0
TSM Client 6.3.0.x
TSM Client 6.2.0.0 through 6.2.4.x 
TSM Client 6.1.0.0 through 6.1.5.x 
TSM Client 5.5.0.0 through 5.5.4.x 
all previous releases, which are unsupported

REMEDIATION:

TSM 	First Fixing  Client  	APAR    Link to fix 
Release VRMF Level    Platform
6.4 	6.4.0.1       All	IC87331 http://www.ibm.com/support/docview.wss?uid=swg24034276 
6.3 	6.3.1.0	      All 	IC87331 http://www.ibm.com/support/docview.wss?uid=swg24034109 
6.2 	6.2.5.0       All	IC87331 Fix target availability: April 2, 2013 Use workarounds 
					until then, or upgrade to fixing 6.3 or 6.4 client 
6.1 	None 				Upgrade to fixing 6.3 or 6.4 client, or use workarounds 
5.5 	None 				Upgrade to fixing 6.3 or 6.4 client, or use workarounds 
5.4 and None 				No longer in support Upgradeto fixing 6.3 or 6.4 client, or use workarounds
previous 

Workaround(s):

If using the traditional scheduler, set the SCHEDMODE option value to POLLING,
which is the default value, in the client options file or on the command line
Configure the scheduler to be managed by Client Acceptor Daemon (CAD), by 
specifying 'MANAGEDSERVICES SCHEDULE' or 'MANAGEDSERVICES SCHEDULE WEBCLIENT'
in the client options file

Mitigation(s): See Workarounds above.

REFERENCES: 

Complete CVSS Guide http://www.first.org/cvss/cvss-guide.html
On-line Calculator V2 http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
CVE-2013-0471 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0471
X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/81215

RELATED INFORMATION: 

IBM Secure Engineering Web Portal 
https://www-304.ibm.com/jct03001c/security/secure-engineering/
IBM Product Security Incident Response Blog
https://www.ibm.com/blogs/PSIRT

ACKNOWLEDGEMENT 
None

CHANGE HISTORY 
31 January 2013: Original Copy Published

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the 
Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard 
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY 
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT 
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY

Cross reference information
Segment 		Product 		Component 	Platform 		Version		 Edition
Storage Management 	Tivoli Storage Manager 			AIX, Linux		5.5,6.1,6.2,6.3,	 
			for Space Management  						6.4 
Storage Management 	Tivoli Storage Manager	Client 		AIX, HP-UX, Linux,	6.2,5.5,6.1,6.3,  
			Extended Edition			Solaris, Windows,	6.4
								Mac OS
Storage Management 	IBM System Storage			AIX, HP-UX, Linux,  
			Archive Manager				Solaris, Windows,
								Mac OS

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBURCsWO4yVqjM2NGpAQI6wBAAo3Ae/77ADz/zy7CO/KRTwNzWKahQc3yX
od5bL+fGUrSqP9L3UtyEv/a4kJIDAFGBUyRkHKSicvPuSdUFayQ5yUaqEYAiqOav
bi09dI5pBZFXhYfdY1SQO7diwSXGyf6owSta0KfddnwqwYzsBZ5fJEyoWVA5Fsy6
g5TiJxQPBd/GpBxRuZROv0eFx4gHgOuGFhJo96qoP1kX8D+SxGfRys0Sjx01pHcw
7ZdC6XvF2/NVGQNO0fYWItwTmUgDaD9lCfGR2AH9HjmThwRZQXIHz4ZeyIF7oVo4
wl+dIm0W8XitvzTWBUGrvy55zyVj8IlLQwYrx/yHdzR0CctOljOq2SCqbYx5gzKW
lycIHdTjTYq4hY3MmzazkHNGm4exSbNw2iRVaXYqV3Kzrhv0irH9TMwcRkHe1sKZ
iM0uVpAHCAN2l2PucCSTe7uTfj+/4g53CRymotf2+J1YtQAmeGWrY8lFd1fvnjWA
O3sD2OKP9D/mq8OinHPHXu2MBNwz8DIFwqzW41N1mu931igckMjy6CZKxzTxAh22
a+edTMUyf5gkW9nScgwhzuFqoAgfzXRssu4W8CMv3WKH2S5oaJdz8ogj6fodstGp
/j+AfS0Xa2pSVJ5P7eu5/UVm+Wyy13vaoqrtbx0Xo89n/ou7G7w56R7bv4NJvyFJ
UfXwh1ejDjY=
=/P8b
-----END PGP SIGNATURE-----