7.1 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:N/I:N/A:C
0.947 High
EPSS
Percentile
99.2%
OpenSSL vulnerabilities were disclosed on October 15, 2014 by the OpenSSL Project. OpenSSL is used by Tivoli Storage Productivity Center. Tivoli Storage Productivity Center has addressed the applicable CVEs.
CVE-ID:CVE-2014-3513
**DESCRIPTION:******OpenSSL is vulnerable to a denial of service, caused by a memory leak in the DTLS Secure Real-time Transport Protocol (SRTP) extension parsing code. By sending multiple specially-crafted handshake messages, an attacker could exploit this vulnerability to exhaust all available memory of an SSL/TLS or DTLS server.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97035>
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE-ID:CVE-2014-3567
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a memory leak when handling failed session ticket integrity checks. By sending an overly large number of invalid session tickets, an attacker could exploit this vulnerability to exhaust all available memory of an SSL/TLS or DTLS server.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97036>
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE-ID:CVE-2014-3568
**DESCRIPTION:**OpenSSL could allow a remote attacker bypass security restrictions. When configured with “no-ssl3” as a build option, servers could accept and complete a SSL 3.0 handshake. An attacker could exploit this vulnerability to perform unauthorized actions.
CVSS Base Score: 2.6
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97037>
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Tivoli Storage Productivity Center 5.2.0 through 5.2.4.1
Tivoli Storage Productivity Center 5.1.0 through 5.1.1.5
Tivoli Storage Productivity Center 4.2.0 through 4.2.2.184
Tivoli Storage Productivity Center 4.1.x
The versions listed above apply to all licensed offerings of Tivoli Storage Productivity Center, including IBM SmartCloud Virtual Storage Center Storage Analytics Engine.
System Storage Productivity Center is affected if it has one of the Tivoli Storage Productivity Center versions listed above installed on it.
Note: It is always recommended to have a current backup before applying any update procedure.
Tivoli Storage Productivity Center V5
Apply the Tivoli Storage Productivity Center fix maintenance as soon as practicable. (See Latest Downloads.)
Affected TPC Version | APAR | Fixed TPC Version | Availability |
---|---|---|---|
5.2.x | IT07314 | 5.2.5 | March 2015 |
5.1.x | IT07314 | 5.1.1.6 | March 2015 |
After upgrading the Tivoli Storage Productivity Center server to the fixed version, you must also upgrade your Storage Resource agents. In the Tivoli Storage Productivity Center GUI, all existing agents will be marked as “Upgrade needed”. Follow the normal Storage Resource agent upgrade procedure, as documented in the Knowlege Center, to deploy the new compliant Storage Resource agents. Once the Storage Resource agents have been upgraded, they will resume showing their running state, i.e. “Up”. |
Tivoli Storage Productivity Center V4
Apply the Tivoli Storage Productivity Center fix pack as soon as practicable (See Latest Downloads.) and follow the manual steps provided.
Affected TPC Version | APAR | Fixed TPC Version | Availability |
---|---|---|---|
4.2.x | IT07318 | 4.2.2 FP8 | |
(4.2.2.191) | March 2015 |
After upgrading the Tivoli Storage Productivity Center server to the fixed version, you must also upgrade your Storage Resource agents. In the Tivoli Storage Productivity Center GUI, all existing agents will be marked as “Upgrade needed”. Follow the normal Storage Resource agent upgrade procedure, as documented in the Knowledge Center, to deploy the new compliant Storage Resource agents. Once the Storage Resource agents have been upgraded, they will resume showing their running state, i.e. “Up”.
Note: For Tivoli Storage Productivity Center 4.1.x, IBM recommends upgrading to a fixed, supported release of the product.
If you cannot apply the fix provided, you can mitigate exposure in Tivoli Storage Productivity Center by removing all connections to XIV storage subsystems and shutting down the Storage Resource Agents