An unauthorized user could restore Domino database or transaction log backups created with Tivoli Storage Manager for Mail: Data Protection for Domino.
CVEID:CVE-2014-6195
DESCRIPTION:
The restore of a Domino database or transaction log backup via the Tivoli Storage Manager for Mail: Data Protection for Domino Java GUI or Web GUI interface can proceed after an authentication failure. As a result, an unauthorized user could restore the Domino database or transaction log backups.
There is no simple query that can be performed to determine that this vulnerability has been exploited. The following things could be reviewed in order to help determine if exploitation has occurred:
1. The system or Domino administrator sees one or more Domino database and/or transaction log files that they did not expect on the system.
2. As the restore and database activation procedure would overwrite the current Domino database information, Domino users may notice “old” data in the Domino database.
3. A review of the domdsmc.log file would include restore processing messages for unplanned restore processing.
CVSS Base Score: 1.9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/98607> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:N/I:P/A:N)
Tivoli Storage Manager for Mail: Data Protection for Domino 5.4, 5.5, 6.3, and 7.1
Note: There are not 6.1, 6.2 or 6.4 releases of this software.
Though this problem only manifests when using the Data Protection for Domino software, the associated defect (and subsequent fix) is located in the Tivoli Storage Manager (TSM) Client software which is a prerequisite to using Data Protection for Domino. Those affected TSM Backup-Archive Client releases are: 5.4, 5.5, 6.1, 6.2, 6.3, 6.4 and 7.1.
The TSM Backup-Archive Client is available via the following product offerings:
IBM System Storage Archive Manager
Tivoli Storage Manager
Tivoli Storage Manager Extended Edition
Tivoli Storage Manager Entry
Tivoli Storage Manager Suite for Unified Recovery Entry
Tivoli Storage Manager Suite for Unified Recovery Entry - Front End
Tivoli Storage Manager Suite for Unified Recovery
Tivoli Storage Manager Suite for Unified Recovery - Archive Option
Tivoli Storage Manager Suite for Unified Recovery - Front End
Tivoli Storage Manager Suite for Unified Recovery - ProtecTier
The table below represents the TSM Backup-Archive Client releases, platforms, and fixing levels which can be used with the Data Protection for Domino software.
Note: Data Protection for Domino requires the use of a TSM Backup-Archive Client at the same,or newer release level.
The APAR number associated with all fixes is: IT04249
TSM Backup-Archive Client Release | Applicable Platforms | First Fixing Level (Client) | Remediation / Fix Availability Target |
---|---|---|---|
7.1 | 64-bit AIX | ||
64-bit Linux x86_64 | |||
64-bit Linux on Z | |||
Windows x86 | |||
Windows x64 | 7.1.1 | Download packages for Tivoli Storage Manager Backup-Archive Client 7.1.1 and READMEs have been removed from the web as they contain unremediated security vulnerabilities. The latest version of 7.1 (7.1.6) contains fixes for the most recent known security and product issues, and can be found using this link: | |
http://www.ibm.com/support/docview.wss?uid=swg24042350 | |||
If you have any questions, please contact IBM support. |
TSM Backup-Archive Client Release | Applicable Platforms | First Fixing Level (Client) | Remediation / Fix Availability Target |
---|---|---|---|
6.4 | 64-bit AIX | ||
64-bit Linux on Z | |||
Windows x86 | |||
Windows x64 | 6.4.2.1 | http://www.ibm.com/support/docview.wss?uid=swg24038504 |
TSM Backup-Archive Client Release | Applicable Platforms | **First Fixing ** Level (Client) | Remediation / Fix Availability Target |
---|---|---|---|
6.3 | 64-bit AIX | 6.3.2.1* | <ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/client/v6r3/AIX/BA/v632/> |
64-bit Linux on Z | 6.3.2.3* | <ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/client/v6r3/Linux/LinuxzSeries/v632/> | |
Windows x86 | 6.3.2.2* | <ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/client/v6r3/Windows/x64/v632/> | |
Windows x64 | 6.3.2.2* | <ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/client/v6r3/Windows/x32/v632/> | |
*Note that interim fixes 6.3.2.1 through 6.3.2.5 were removed from ftp. The latest interim fix (6.3.2.6) includes this security | |||
fix and should be used. |
TSM Backup-Archive Client Release | Applicable Platforms | **First Fixing ** Level (Client) | Remediation / Fix Availability Target |
---|---|---|---|
6.2 |
Note: The end of support for this release is April 30, 2015.| 32-bit AIX| 6.2.5.3| <ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/client/v6r2/AIX/AIX32bit/v625/>
64-bit AIX| 6.2.5.3| <ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/client/v6r2/AIX/AIX64bit/v625/>
32-bit Linux x86| 6.2.5.3| <ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/client/v6r2/Linux/LinuxX86/v625/>
64-bit Linux on Z| 6.2.5.4| <ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/client/v6r2/Linux/LinuxzSeries/v625/>
32-bit Solaris SPARC| 6.2.5.4| <ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/client/v6r2/Solaris/SPARC/v625/>
Windows x86| 6.2.5.2| <ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/client/v6r2/Windows/x32/v625/>
Windows x64| 6.2.5.2| <ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/client/v6r2/Windows/x64/v625/>
TSM Backup-Archive Client Release | Applicable Platforms | **First Fixing ** Level (Client) | Remediation / Fix Availability Target |
---|---|---|---|
6.1 |
Note: This release is end of support.| 32-bit AIX| There is no fix available for this platform on this release.| Customers should update to fix level 6.2.5.3 or newer
64-bit AIX| There is no fix available for this platform on this release.| Customers should update to fix level 6.2.5.3 or newer
32-bit Linux x86| There is no fix available for this platform on this release.| Customers should update to fix level 6.2.5.3 or newer
z/OS USS Client| 6.1.5.7| This fix is contained in PTF numbers UI26801 (BA) and UI26802 (API).
32-bit Linux on Z| There is no fix available for this platform on this release.| Customers should use either 5.5.4.4 or update to fix level 6.2.5.4 or newer
64-bit Linux on Z| There is no fix available for this platform on this release.| Customers should update to fix level 6.2.5.4 or newer
32-bit Solaris SPARC| There is no fix available for this platform on this release.| Customers should update to fix level 6.2.5.4 or newer
Windows x86| There is no fix available for this platform on this release.| Customers should update to fix level 6.2.5.2 or newer
Windows x64| There is no fix available for this platform on this release.| Customers should update to fix level 6.2.5.2 or newer
TSM Backup-Archive Client Release | Applicable Platforms | **First Fixing ** Level (Client) | Remediation / Fix Availability Target |
---|---|---|---|
5.5 |
Note: This release is end of support.| 32-bit AIX| 5.5.4.4| Customers with support extensions on 5.5 should contact IBM Support for the fix.
32-bit Linux x86| 5.5.4.4| Customers with support extensions on 5.5 should contact IBM Support for the fix.
32-bit Linux on Z| 5.5.4.4| Customers with support extensions on 5.5 should contact IBM Support for the fix.
32-bit Solaris SPARC| 5.5.4.4| Customers with support extensions on 5.5 should contact IBM Support for the fix.
Windows x86| There is no fix available for this platform on this release.| Customers update to fix level 6.2.5.2 or newer
Windows x64| There is no fix available for this platform on this release.| Customers update to fix level 6.2.5.2 or newer
z/OS USS Client| There is no fix available for this platform on this release.| Customers update to fix level 6.1.5.7 or newer
TSM Backup-Archive Client Release | Applicable Platforms | **First Fixing ** Level (Client) | Remediation / Fix Availability Target |
---|---|---|---|
5.4 |
Note: This release is end of support.| 32-bit AIX
32-bit Linux x86
32-bit Solaris SPARC
Windows x86
Windows x64
z/OS USS Client| There is no fix available for this release.| Customers should implement the defined workaround.
Configure web access, and access to the local machine, in such a manner that only trusted users are allowed to access the TSM Backup-Archive Client Java GUI and Web GUI interfaces.