Security Bulletin: IBM TS3500 Tape Library Update for Security Vulnerability in Web User Interface (CVE-2012-5767)

Abstract

Download an update to the TS3500 Tape Library which contains a fix for a security vulnerability that could allow unauthorized access to restricted actions.

Content

DESCRIPTION:
An authorized user of the TS3500 web user interface could exploit a vulnerability that would give that user a higher level of access than originally granted. However, the TS3500 web user interface continues to prevent any user from accessing data that is read from, written to, or stored on tape media.

The IBM TS3500 tape library firmware has been updated to contain a fix for this vulnerability.

**CVEID:*CVE-2012-5767
CVSS Base Score: 6.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/80272 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:P)

AFFECTED PRODUCTS AND VERSIONS:
All TS3500 tape libraries with firmware versions lower than C260.

REMEDIATION:
The recommended solution is to apply the fix, which is contained in firmware version C260 and above.

Fix:
Apply firmware version C260 or later, available from IBM Fix Central http://www-933.ibm.com/support/fixcentral/

Workaround(s):
None

Mitigation(s):
Only provide remote login access to persons that can be trusted not to attempt to hack into a higher level of access permissions, or only provide remote login access to persons with administrator privileges (where there is no higher level access to hack into).

REFERENCES:
· Complete CVSS Guide
· On-line Calculator V2_ _
· CVE-2012-5767__ __
· _X-Force Vulnerability Database _http://xforce.iss.net/

RELATED INFORMATION:
_IBM Secure Engineering Web Portal _
IBM Product Security Incident Response Blog

ACKNOWLEDGEMENT
The vulnerability was reported to IBM by Narodowe Archiwum Cyfrowe (National Digital Archives).

[{“Product”:{“code”:“STCVQ6Z”,“label”:“Tape systems-\u003E3584 Tape Library”},“Business Unit”:{“code”:“BU054”,“label”:“Systems w/TPS”},“Component”:“Not Applicable”,“Platform”:[{“code”:“PF025”,“label”:“Platform Independent”}],“Version”:“Not Applicable”,“Edition”:“”,“Line of Business”:{“code”:“”,“label”:“”}}]