Security Bulletin: Multiple Security Vulnerabilities in IBM Tivoli Storage Manager FastBack (CVE-2015-8519, CVE-2015-8520, CVE-2015-8521, CVE-2015-8522, CVE-2015-8523)

Summary

IBM Tivoli Storage Manager FastBack is affected by multiple security vulnerabilities such as stack based buffer overflow and denial of service. These vulnerabilities may cause the server to crash.

Vulnerability Details

CVEID: CVE-2015-8519**
DESCRIPTION:** IBM Tivoli Storage Manager FastBack Server is vulnerable to a buffer overflow, caused by improper bounds checking in server command processing. A remote attacker could overflow a buffer and execute arbitrary code on the system with system privileges or cause the application to crash.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108936 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2015-8520**
DESCRIPTION:** IBM Tivoli Storage Manager FastBack Server is vulnerable to a buffer overflow, caused by improper bounds checking in server command processing. A remote attacker could overflow a buffer and execute arbitrary code on the system with system privileges or cause the application to crash.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108937 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2015-8521**
DESCRIPTION:** IBM Tivoli Storage Manager FastBack Server is vulnerable to a buffer overflow, caused by improper bounds checking in server command processing. A remote attacker could overflow a buffer and execute arbitrary code on the system with system privileges or cause the application to crash.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108938 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2015-8522**
DESCRIPTION:** IBM Tivoli Storage Manager FastBack Server is vulnerable to a buffer overflow, caused by improper bounds checking in server command processing. A remote attacker could overflow a buffer and execute arbitrary code on the system with system privileges or cause the application to crash.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108939 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
**
CVEID:** CVE-2015-8523**
DESCRIPTION:** IBM Tivoli Storage Manager FastBack Server is vulnerable to a denial of service. An attacker can send specially-crafted packets to the target’s TCP port which would result in a shutdown of the service.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108943 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

IBM Tivoli Storage Manager FastBack 6.1.0.0 through 6.1.12.1.
IBM Tivoli Storage Manager FastBack 5.5 all levels

Remediation/Fixes

_FastBack Release _

| First Fixing VRMF Level| Platfom| APAR| Link to fix
—|—|—|—|—
6.1 | 6.1.12.2| Windows| None| <http://www-933.ibm.com/support/fixcentral/swg/selectFix?product=ibm%2FTivoli%2FIBM+Tivoli+Storage+Manager+FastBack&gt;

For FastBack 5.5, IBM recommends upgrading to a fixed, supported version of FastBack (6.1.12.2).

Workarounds and Mitigations

None