Security Bulletin: Tivoli Storage Productivity Center affected by vulnerabilities in OpenSSL (CVE-2013-0169, CVE-2012-2686, CVE-2013-0166)

Summary

A number of security vulnerabilities have been discovered in the OpenSSL libraries included in Tivoli Storage Productivity Center. These libraries are used for communications with the Storage Resource agent and some storage systems.

Vulnerability Details

VULNERABILITY DETAILS:

DESCRIPTION:
The vulnerabilities include a weakness in the handling of CBC ciphersuites in SSL, TLS and DTLS, a flaw in the OpenSSL handling of CBC ciphersuites in TLS 1.1 and TLS 1.2 on AES-NI supporting platforms which can be exploited in a DoS attack, and a flaw in the OpenSSL handling of OCSP response verification, which can be exploited in a denial of service attack.

CVE ID:***CVE-2013-0169
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/81902&gt;
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVE ID:***CVE-2013-0166
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/81904&gt; for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE ID:***CVE-2012-2686
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/81903&gt; for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

AFFECTED VERSIONS:
Tivoli Storage Productivity Center 5.1.0 through 5.1.1.1
Tivoli Storage Productivity Center 4.2.0 through 4.2.2 FP3
Tivoli Storage Productivity Center 4.1.x
System Storage Productivity Center (refer to Tivoli Storage Productivity Center version)

Tivoli Storage Productivity Center for Replication is not affected.

REMEDIATION:
The solution is to apply an appropriate Tivoli Storage Productivity Center fix pack fix for each named product, and the solution should be implemented as soon as practicable. To apply the appropriate fix pack, go to the Latest Downloads for Tivoli Storage Productivity Center technote and find a fix pack that at least meets the minimum value listed in the table below.

**Vendor Fix(es):****_
_**Tivoli Storage Productivity Center APAR Fixes

Latest Downloads for Tivoli Storage Productivity Center

Workaround(s):
None

Mitigation(s):
None

REFERENCES:

• _X-Force Vulnerability Database __<https://exchange.xforce.ibmcloud.com/vulnerabilities/81902&gt;_
• _X-Force Vulnerability Database __<https://exchange.xforce.ibmcloud.com/vulnerabilities/81904&gt;_
• _X-Force Vulnerability Database __<https://exchange.xforce.ibmcloud.com/vulnerabilities/81903&gt;_
• OpenSSL Security Advisoryhttp://www.openssl.org/news/secadv_20130204.txt

ACKNOWLEDGEMENT:
None

CHANGE HISTORY:
2015 September 15 - Corrected CVSS Guide link.

_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _

_Note: _According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Get Notified about Future Security Bulletins

Subscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html&gt;) to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{“Product”:{“code”:“SS5R93”,“label”:“IBM Spectrum Control”},“Business Unit”:{“code”:“BU058”,“label”:“IBM Infrastructure w/TPS”},“Component”:“–”,“Platform”:[{“code”:“PF002”,“label”:“AIX”},{“code”:“PF016”,“label”:“Linux”},{“code”:“PF033”,“label”:“Windows”}],“Version”:“5.1;5.1.1”,“Edition”:“”,“Line of Business”:{“code”:“LOB26”,“label”:“Storage”}},{“Product”:{“code”:“SS5R93”,“label”:“IBM Spectrum Control”},“Business Unit”:{“code”:“BU058”,“label”:“IBM Infrastructure w/TPS”},“Component”:" “,“Platform”:[{“code”:“PF002”,“label”:“AIX”},{“code”:“PF016”,“label”:“Linux”},{“code”:“PF033”,“label”:“Windows”}],“Version”:“4.1;4.1.1;4.2;4.2.1;4.2.2”,“Edition”:”",“Line of Business”:{“code”:“LOB26”,“label”:“Storage”}}]