Lucene search

K
ibmIBM48BB16221D9A418ED98A10554C36B767EBA5173BC8EA8DD97DFBF36DA76A329B
HistoryJun 17, 2018 - 2:41 p.m.

Security Bulletin: Tivoli Storage Manager Server Certificate Chaining Vulnerability (CVE-2013-6747 )

2018-06-1714:41:47
www.ibm.com
6

7.1 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

Summary

A certificate chain presented by a Client or Server could contain a circular reference that will cause the chain building logic to loop, crash or hang.

Vulnerability Details

CVE ID: CVE-2013-6747

DESCRIPTION:
A certificate chain presented by a Client or Server could contain a circular reference that will cause the chain building logic to loop which can lead to a segv crash or hang due to memory exhaustion.

CVSS Base Score: 7.1

CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/89863&gt; for the current score

CVSS Environmental Score*: Undefined

CVSS Vector:(AV/N:AC/M:Au/N:C/N:I/N:A/C)

Affected Products and Versions

IBM Tivoli Storage Manager server release levels:

· 7.1.0 (all servers and storage agents)

· 6.3.0 through 6.3.4.30 (all servers)

· 6.3.3 through 6.3.4.30 (all storage agents)

· 6.2.0 through 6.2.6.0 (all servers)

· 6.1.0 through 6.1.5.xxx (AIX and Windows servers only)

· 5.5.0 through 5.5.7.xxx (AIX and Windows servers only)

Remediation/Fixes

The recommended solution is to apply the fixes as soon as practical. Please see below for information on the fixes available and the links where the fixes can be downloaded.

Product APAR Remediation/First Fix
IBM Tivoli Storage Manager Server 7.1 IT02298 Please call IBM service, referencing APAR IT02298.
IBM Service will provide GSKIT installation files and install instructions to install GSKIT 8.0.14.43 ( or higher ).
A fix will also be provided as part of level 7.1.1.
IBM Tivoli Storage Manager Server 6.3 IT02298 Please call IBM service, referencing APAR IT02298.
IBM Service will provide GSKIT installation files and install instructions to install GSKIT 8.0.14.43 ( or higher ).
A fix will also be provided as part of level 6.3.5.
IBM Tivoli Storage Manager Server 6.2 IT02298 Please call IBM service, referencing APAR IT02298.
IBM Service will provide GSKIT installation files and install instructions to install GSKIT 7.0.4.50 ( or higher ).
A fix will also be provided as part of level 6.2.7.
IBM Tivoli Storage Manager Server 6.1 and 5.5, on AIX and Windows only
Please note that IBM has previously announced End of Support for these versions, effective April 30, 2014.
IBM recommends using the Workaround specified below, or upgrading to a fixed, supported release

Workarounds and Mitigations

Remove the ability for users to use SSL sessions by changing the server and/or storage agent option files to remove the SSL communication options

7.1 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

Related for 48BB16221D9A418ED98A10554C36B767EBA5173BC8EA8DD97DFBF36DA76A329B