Security Bulletin: Vulnerabilities in OpenSSL affect the IBM Tivoli Storage Manager Client and IBM Tivoli Storage Manager for Virtual Environments: Data Protection for VMware (CVE-2015-0287)

Summary

OpenSSL vulnerabilities were disclosed on March 19, 2015 by the OpenSSL Project. OpenSSL, used by the Tivoli Storage Manager Client, has addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2015-0287**
DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by an error related to the reuse of a structure in ASN.1 parsing. An attacker could exploit this vulnerability using an invalid write to corrupt memory and cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101668 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Affected Products and Versions

This security exposure affects network connections between the Tivoli Storage Manager (IBM Spectrum Protect) Client and VMware services. This exposure affects:

• Tivoli Storage Manager Client levels:
  - 7.1.0.0 through 7.1.3.x - VMware services with Linux x86 and Windows x64 clients
  - 7.1.0.0 through 7.1.6.2 - NetApp services with AIX, Linux x86, Windows x32, and Windows x64 clients
  - 6.4.0.0 through 6.4.3.1 - VMware services with Linux x86, Windows x32, and Windows x64 clients
  - 6.4.0.0 through 6.4.3.3 - NetApp services with AIX, Linux x86, Windows x32, and Windows x64 clients
  - 6.3 all levels
  - 6.2 all levels - TSM 6.2 is beyond End of Support
• Tivoli Storage Manager for Virtual Environments: Data Protection for VMware levels:
  - 7.1.0.0 through 7.1.3.x - TSM Linux x86 and Windows x64 clients are shipped with 7.1 and are used as the data mover
  - 6.4 all levels when used with an affected TSM client data mover level
  - 6.3 all levels when used with an affected TSM client data mover level

Remediation/Fixes

Tivoli Storage Manager Client Release

| Fixing VRM Level|**_

Platform_|Link to Fix / Fix Availability Target**
—|—|—|—
7.1| 7.1.4| VMware
Linux x86
Windows x64| http://www.ibm.com/support/docview.wss?uid=swg24041076
7.1| 7.1.6.3| NetApp
AIX
Linux x86
Windows x32
Windows x64| http://www.ibm.com/support/docview.wss?uid=swg24042496
6.4| 6.4.3.2| VMware
Linux x86
Windows x64| http://www.ibm.com/support/docview.wss?uid=swg24041144
6.4| 6.4.3.4| NetApp
AIX
Linux x86
Windows x64| http://www.ibm.com/support/docview.wss?uid=swg24041144
6.4|
| VMware/NetApp
Windows x32| IBM recommends upgrading the machine to 64-bit and using the TSM 6.4 or 7.1 Windows x64 client with the 7.1 (7.1.4 or 7.1.6.3) or 6.4.(6.4.3.2/6.4.3.4) fix. Please refer to APAR IT13174 for more information about Windows x32 and VMware backups.
6.3 and 6.2|
|
| IBM recommends VMware/NetApp users upgrade to a fixed level of 7.1 (7.1.4 for VMware, 7.1.6.3 for NetApp) or 6.4 (6.4.3.2 for VMware, 6.4.3.4 for NetApp).

Tivoli Storage Manager for Virtual Environments: Data Protection for VMware Release|Fixing VRM Level|_
Platform_|Link to Fix / Fix Availability Target
—|—|—|—
7.1| 7.1.4| Linux x86
Windows x64| <http://www.ibm.com/support/docview.wss?uid=swg24041094&gt;
6.4|
| Linux x86
Windows x64| Apply the TSM client fixing level (6.4.3.2)
6.4|
| Windows x32| IBM recommends upgrading the machine to 64-bit and using the TSM 6.4 Windows x64 client with the 6.4.3.2 fix. Please refer to APAR IT13174 for more information about Windows x32 and Data Protection for VMware.
6.3|
|
| IBM recommends Tivioli Storage Manager for Virtual Environments: Data Protection for VMware 6.3 users upgrade to 6.4 and apply the TSM client fixing level (6.4.3.2) or upgrade to 7.1.4.

Workarounds and Mitigations

None