Security Bulletin: Tivoli Storage Productivity Center is affected by vulnerabilities in OpenSSL (CVE-2014-3513, CVE-2014-3567, CVE-2014-3568)

Summary

OpenSSL vulnerabilities were disclosed on October 15, 2014 by the OpenSSL Project. OpenSSL is used by Tivoli Storage Productivity Center. Tivoli Storage Productivity Center has addressed the applicable CVEs.

Vulnerability Details

CVE-ID:CVE-2014-3513

**DESCRIPTION:******OpenSSL is vulnerable to a denial of service, caused by a memory leak in the DTLS Secure Real-time Transport Protocol (SRTP) extension parsing code. By sending multiple specially-crafted handshake messages, an attacker could exploit this vulnerability to exhaust all available memory of an SSL/TLS or DTLS server.

CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97035&gt;
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVE-ID:CVE-2014-3567

**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a memory leak when handling failed session ticket integrity checks. By sending an overly large number of invalid session tickets, an attacker could exploit this vulnerability to exhaust all available memory of an SSL/TLS or DTLS server.

CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97036&gt;
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVE-ID:CVE-2014-3568

**DESCRIPTION:**OpenSSL could allow a remote attacker bypass security restrictions. When configured with “no-ssl3” as a build option, servers could accept and complete a SSL 3.0 handshake. An attacker could exploit this vulnerability to perform unauthorized actions.

CVSS Base Score: 2.6
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97037&gt;
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

Tivoli Storage Productivity Center 5.2.0 through 5.2.4.1
Tivoli Storage Productivity Center 5.1.0 through 5.1.1.5
Tivoli Storage Productivity Center 4.2.0 through 4.2.2.184
Tivoli Storage Productivity Center 4.1.x

The versions listed above apply to all licensed offerings of Tivoli Storage Productivity Center, including IBM SmartCloud Virtual Storage Center Storage Analytics Engine.

System Storage Productivity Center is affected if it has one of the Tivoli Storage Productivity Center versions listed above installed on it.

Remediation/Fixes

Note: It is always recommended to have a current backup before applying any update procedure.

Tivoli Storage Productivity Center V5
Apply the Tivoli Storage Productivity Center fix maintenance as soon as practicable. (See Latest Downloads.)

Tivoli Storage Productivity Center V4
Apply the Tivoli Storage Productivity Center fix pack as soon as practicable (See Latest Downloads.) and follow the manual steps provided.

After upgrading the Tivoli Storage Productivity Center server to the fixed version, you must also upgrade your Storage Resource agents. In the Tivoli Storage Productivity Center GUI, all existing agents will be marked as “Upgrade needed”. Follow the normal Storage Resource agent upgrade procedure, as documented in the Knowledge Center, to deploy the new compliant Storage Resource agents. Once the Storage Resource agents have been upgraded, they will resume showing their running state, i.e. “Up”.

Note: For Tivoli Storage Productivity Center 4.1.x, IBM recommends upgrading to a fixed, supported release of the product.

Workarounds and Mitigations

If you cannot apply the fix provided, you can mitigate exposure in Tivoli Storage Productivity Center by removing all connections to XIV storage subsystems and shutting down the Storage Resource Agents