7.1 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:N/I:N/A:C
The IBM Tivoli Storage Manager (TSM) server and storage agent are affected by a problem related to the SSL implementation which, under very specific conditions, can cause CPU utilization to rapidly increase.
CVE ID: CVE-2014-0963
DESCRIPTION:
TSM server and storage agent are affected by a problem with the handling of certain SSL messages. The TLS implementation can, under very specific conditions, cause CPU utilization to rapidly increase. The situation occurs only in a certain error case that causes a single thread to begin looping. If this happens multiple times, more threads will begin to loop and an increase in CPU utilization will be seen. This increase could ultimately result in CPU exhaustion and unresponsiveness of the Tivoli Storage Manager server and/or storage agent and other software running on the affected system.
This issue can affect the availability of the system, but does not impact system confidentiality or integrity. This vulnerability can be remotely exploited, authentication is not required and the exploit is moderately complex.
To determine if your systems are being affected by this issue, you can monitor the CPU utilization for Tivoli Storage Manager instances.
CVSS Base Score: 7.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/92844> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C)
IBM Tivoli Storage Manager server release levels:
· 7.1.0 (all servers and storage agents)
· 6.3.0 through 6.3.4.30 (all servers)
· 6.3.3 through 6.3.4.30 (all storage agents)
· 6.2.0 through 6.2.6.0 (all servers)
· 6.1.0 through 6.1.5.xxx (AIX and Windows servers only)
· 5.5.0 through 5.5.7.xxx (AIX and Windows servers only)
IBM has provided patches for all affected versions. Follow the installation instructions included with the patch.
Product | APAR | Remediation/First Fix |
---|---|---|
IBM Tivoli Storage Manager Server 7.1 | IT02298 | Please call IBM service, referencing APAR IT02298. |
IBM Service will provide GSKIT installation files and install instructions to install GSKIT 8.0.14.43 ( or higher ). | ||
A fix is also provided as part of level 7.1.1: | ||
<http://www.ibm.com/support/docview.wss?uid=swg24038353> | ||
Note: If you are your server or storage agent is on the HP-UX | ||
platform, you should not call IBM service for GSKIT 8.0.14.43. | ||
You should install 7.1.1 instead. | ||
IBM Tivoli Storage Manager Server 6.3 | IT02298 | Please call IBM service, referencing APAR IT02298. |
IBM Service will provide GSKIT installation files and install instructions to install GSKIT 8.0.14.43 ( or higher ). | ||
A fix is also provided as part of level 6.3.5: | ||
<http://www.ibm.com/support/docview.wss?uid=swg24038158> | ||
IBM Tivoli Storage Manager Server 6.2 | IT02298 | Please call IBM service, referencing APAR IT02298. |
IBM Service will provide GSKIT installation files and install instructions to install GSKIT 7.0.4.50 ( or higher ). | ||
A fix will also be provided as part of level 6.2.7. | ||
IBM Tivoli Storage Manager Server 6.1 and 5.5, on AIX and Windows only | ||
Please note that IBM has previously announced End of Support for these versions, effective April 30, 2014. | ||
IBM recommends using the Workaround specified below, or upgrading to a fixed, supported release |
Method One) Monitor CPU utilization of your Tivoli Storage Manager server and/or storage agent instances. If utilization becomes abnormally high, stop and restart the affected instance.
**Method Two)**Disable the use of TLS in Tivoli Storage Manager. To do this, perform the following for every Server or Storage agent instance in your environment:
1. For every server, update the options file
( server - dsmserv.opt or storage agent - dsmsta.opt ), by commenting out the options
statement “SSLTCPPORT xxxx” and “SSLTCPADMINPORT xxxx”.
Commenting out entails placing an asterisk at the beginning of the line
containing “SLTCPPORT” and/or “SSLTCPADMINPORT”.
2. Ensure that a TCPPORT or TCPADMINPORT options statement is in the options file and
not commented out.
3. Update all server and storage agent definitions to use the TCP port rather than the SSL port
in each server and storage agent. For storage agents, you can re-define the setup by using
the dsmsta setstorageserver command and not using the SSL=YES parameter.
4. Update all client options files by commenting out the “SSL YES” option in their respective
dsm.sys files and/or options files. Note: A new level of the client is _not_required for this issue.
5. Stop and re-start all storage agents and servers. Then, stop and start all clients and client
schedulers that are using SSL as their communication methods.