CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
EPSS
Percentile
60.4%
Download an update to the TS3500 Tape Library which contains a fix for a security vulnerability that could allow unauthorized access to restricted actions.
DESCRIPTION:
An authorized user of the TS3500 web user interface could exploit a vulnerability that would give that user a higher level of access than originally granted. However, the TS3500 web user interface continues to prevent any user from accessing data that is read from, written to, or stored on tape media.
The IBM TS3500 tape library firmware has been updated to contain a fix for this vulnerability.
**CVEID:*CVE-2012-5767
CVSS Base Score: 6.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/80272 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:P)
AFFECTED PRODUCTS AND VERSIONS:
All TS3500 tape libraries with firmware versions lower than C260.
REMEDIATION:
The recommended solution is to apply the fix, which is contained in firmware version C260 and above.
Fix:
Apply firmware version C260 or later, available from IBM Fix Central http://www-933.ibm.com/support/fixcentral/
Workaround(s):
None
Mitigation(s):
Only provide remote login access to persons that can be trusted not to attempt to hack into a higher level of access permissions, or only provide remote login access to persons with administrator privileges (where there is no higher level access to hack into).
REFERENCES:
ยท Complete CVSS Guide
ยท On-line Calculator V2_ _
ยท CVE-2012-5767__ __
ยท _X-Force Vulnerability Database _http://xforce.iss.net/
RELATED INFORMATION:
_IBM Secure Engineering Web Portal _
IBM Product Security Incident Response Blog
ACKNOWLEDGEMENT
The vulnerability was reported to IBM by Narodowe Archiwum Cyfrowe (National Digital Archives).
[{โProductโ:{โcodeโ:โSTCVQ6Zโ,โlabelโ:โTape systems-\u003E3584 Tape Libraryโ},โBusiness Unitโ:{โcodeโ:โBU054โ,โlabelโ:โSystems w/TPSโ},โComponentโ:โNot Applicableโ,โPlatformโ:[{โcodeโ:โPF025โ,โlabelโ:โPlatform Independentโ}],โVersionโ:โNot Applicableโ,โEditionโ:โโ,โLine of Businessโ:{โcodeโ:โโ,โlabelโ:โโ}}]