Security Bulletin: Tivoli Storage Manager Server Certificate Chaining Vulnerability (CVE-2013-6747 )

2018-06-1714:41:47

www.ibm.com

7.1 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

JSON

Summary

A certificate chain presented by a Client or Server could contain a circular reference that will cause the chain building logic to loop, crash or hang.

Vulnerability Details

CVE ID: CVE-2013-6747

DESCRIPTION:
A certificate chain presented by a Client or Server could contain a circular reference that will cause the chain building logic to loop which can lead to a segv crash or hang due to memory exhaustion.

CVSS Base Score: 7.1

CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/89863> for the current score

CVSS Environmental Score*: Undefined

CVSS Vector:(AV/N:AC/M:Au/N:C/N:I/N:A/C)

Affected Products and Versions

IBM Tivoli Storage Manager server release levels:

· 7.1.0 (all servers and storage agents)

· 6.3.0 through 6.3.4.30 (all servers)

· 6.3.3 through 6.3.4.30 (all storage agents)

· 6.2.0 through 6.2.6.0 (all servers)

· 6.1.0 through 6.1.5.xxx (AIX and Windows servers only)

· 5.5.0 through 5.5.7.xxx (AIX and Windows servers only)

Remediation/Fixes

The recommended solution is to apply the fixes as soon as practical. Please see below for information on the fixes available and the links where the fixes can be downloaded.

Product	APAR	Remediation/First Fix
IBM Tivoli Storage Manager Server 7.1	IT02298	Please call IBM service, referencing APAR IT02298.
IBM Service will provide GSKIT installation files and install instructions to install GSKIT 8.0.14.43 ( or higher ).
A fix will also be provided as part of level 7.1.1.
IBM Tivoli Storage Manager Server 6.3	IT02298	Please call IBM service, referencing APAR IT02298.
IBM Service will provide GSKIT installation files and install instructions to install GSKIT 8.0.14.43 ( or higher ).
A fix will also be provided as part of level 6.3.5.
IBM Tivoli Storage Manager Server 6.2	IT02298	Please call IBM service, referencing APAR IT02298.
IBM Service will provide GSKIT installation files and install instructions to install GSKIT 7.0.4.50 ( or higher ).
A fix will also be provided as part of level 6.2.7.
IBM Tivoli Storage Manager Server 6.1 and 5.5, on AIX and Windows only
Please note that IBM has previously announced End of Support for these versions, effective April 30, 2014.
IBM recommends using the Workaround specified below, or upgrading to a fixed, supported release

Workarounds and Mitigations

Remove the ability for users to use SSL sessions by changing the server and/or storage agent option files to remove the SSL communication options

CPENameOperatorVersion
tivoli storage managereq5.5
tivoli storage managereq6.1
tivoli storage managereq6.2
tivoli storage managereq6.3
tivoli storage managereq6.4
tivoli storage managereq7.1
tivoli storage manager for storage area networkseq6.2
tivoli storage manager for storage area networkseq6.1
tivoli storage manager for storage area networkseq5.5
tivoli storage manager for storage area networkseq6.3

Name	Operator	Version
tivoli storage manager	eq	5.5
tivoli storage manager	eq	6.1
tivoli storage manager	eq	6.2
tivoli storage manager	eq	6.3
tivoli storage manager	eq	6.4
tivoli storage manager	eq	7.1
tivoli storage manager for storage area networks	eq	6.2
tivoli storage manager for storage area networks	eq	6.1
tivoli storage manager for storage area networks	eq	5.5
tivoli storage manager for storage area networks	eq	6.3