Lucene search

K
ibmIBM3149BF808F24BE168103A60BB05892459AFC62AF6331A9076DA531DE383745FE
HistoryJun 17, 2018 - 2:41 p.m.

Security Bulletin: TSM Server CPU Utilization (CVE-2014-0963)

2018-06-1714:41:46
www.ibm.com
11

7.1 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

Summary

The IBM Tivoli Storage Manager (TSM) server and storage agent are affected by a problem related to the SSL implementation which, under very specific conditions, can cause CPU utilization to rapidly increase.

Vulnerability Details

CVE ID: CVE-2014-0963

DESCRIPTION:
TSM server and storage agent are affected by a problem with the handling of certain SSL messages. The TLS implementation can, under very specific conditions, cause CPU utilization to rapidly increase. The situation occurs only in a certain error case that causes a single thread to begin looping. If this happens multiple times, more threads will begin to loop and an increase in CPU utilization will be seen. This increase could ultimately result in CPU exhaustion and unresponsiveness of the Tivoli Storage Manager server and/or storage agent and other software running on the affected system.

This issue can affect the availability of the system, but does not impact system confidentiality or integrity. This vulnerability can be remotely exploited, authentication is not required and the exploit is moderately complex.

To determine if your systems are being affected by this issue, you can monitor the CPU utilization for Tivoli Storage Manager instances.

CVSS Base Score: 7.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/92844&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C)

Affected Products and Versions

IBM Tivoli Storage Manager server release levels:

· 7.1.0 (all servers and storage agents)

· 6.3.0 through 6.3.4.30 (all servers)

· 6.3.3 through 6.3.4.30 (all storage agents)

· 6.2.0 through 6.2.6.0 (all servers)

· 6.1.0 through 6.1.5.xxx (AIX and Windows servers only)

· 5.5.0 through 5.5.7.xxx (AIX and Windows servers only)

Remediation/Fixes

IBM has provided patches for all affected versions. Follow the installation instructions included with the patch.

Product APAR Remediation/First Fix
IBM Tivoli Storage Manager Server 7.1 IT02298 Please call IBM service, referencing APAR IT02298.
IBM Service will provide GSKIT installation files and install instructions to install GSKIT 8.0.14.43 ( or higher ).
A fix is also provided as part of level 7.1.1:
<http://www.ibm.com/support/docview.wss?uid=swg24038353&gt;
Note: If you are your server or storage agent is on the HP-UX
platform, you should not call IBM service for GSKIT 8.0.14.43.
You should install 7.1.1 instead.
IBM Tivoli Storage Manager Server 6.3 IT02298 Please call IBM service, referencing APAR IT02298.
IBM Service will provide GSKIT installation files and install instructions to install GSKIT 8.0.14.43 ( or higher ).
A fix is also provided as part of level 6.3.5:
<http://www.ibm.com/support/docview.wss?uid=swg24038158&gt;
IBM Tivoli Storage Manager Server 6.2 IT02298 Please call IBM service, referencing APAR IT02298.
IBM Service will provide GSKIT installation files and install instructions to install GSKIT 7.0.4.50 ( or higher ).
A fix will also be provided as part of level 6.2.7.
IBM Tivoli Storage Manager Server 6.1 and 5.5, on AIX and Windows only
Please note that IBM has previously announced End of Support for these versions, effective April 30, 2014.
IBM recommends using the Workaround specified below, or upgrading to a fixed, supported release

Workarounds and Mitigations

Method One) Monitor CPU utilization of your Tivoli Storage Manager server and/or storage agent instances. If utilization becomes abnormally high, stop and restart the affected instance.

**Method Two)**Disable the use of TLS in Tivoli Storage Manager. To do this, perform the following for every Server or Storage agent instance in your environment:

1. For every server, update the options file
( server - dsmserv.opt or storage agent - dsmsta.opt ), by commenting out the options
statement “SSLTCPPORT xxxx” and “SSLTCPADMINPORT xxxx”.
Commenting out entails placing an asterisk at the beginning of the line
containing “SLTCPPORT” and/or “SSLTCPADMINPORT”.
2. Ensure that a TCPPORT or TCPADMINPORT options statement is in the options file and
not commented out.
3. Update all server and storage agent definitions to use the TCP port rather than the SSL port
in each server and storage agent. For storage agents, you can re-define the setup by using
the dsmsta setstorageserver command and not using the SSL=YES parameter.
4. Update all client options files by commenting out the “SSL YES” option in their respective
dsm.sys files and/or options files. Note: A new level of the client is _not_required for this issue.
5. Stop and re-start all storage agents and servers. Then, stop and start all clients and client
schedulers that are using SSL as their communication methods.

7.1 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

Related for 3149BF808F24BE168103A60BB05892459AFC62AF6331A9076DA531DE383745FE