A number of security vulnerabilities have been discovered in the OpenSSL libraries included in Tivoli Storage Productivity Center. These libraries are used for communications with the Storage Resource agent and some storage systems.
VULNERABILITY DETAILS:
DESCRIPTION:
The vulnerabilities include a weakness in the handling of CBC ciphersuites in SSL, TLS and DTLS, a flaw in the OpenSSL handling of CBC ciphersuites in TLS 1.1 and TLS 1.2 on AES-NI supporting platforms which can be exploited in a DoS attack, and a flaw in the OpenSSL handling of OCSP response verification, which can be exploited in a denial of service attack. For more information, see the OpenSSL security advisory located at http://www.openssl.org/news/secadv_20130204.txt.
CVE ID: CVE-2013-0169
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81902
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVE ID: CVE-2013-0166
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81904 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE ID: CVE-2012-2686
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81903 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
AFFECTED VERSIONS:
Tivoli Storage Productivity Center 5.1.0 through 5.1.1.1
Tivoli Storage Productivity Center 4.2.0 through 4.2.2 FP3
Tivoli Storage Productivity Center 4.1.x
System Storage Productivity Center (refer to Tivoli Storage Productivity Center version)
Tivoli Storage Productivity Center for Replication is not affected.
REMEDIATION:
The solution is to apply an appropriate Tivoli Storage Productivity Center fix pack fix for each named product, and the solution should be implemented as soon as practicable. To apply the appropriate fix pack, go to the Latest Downloads for Tivoli Storage Productivity Center technote and find a fix pack that at least meets the minimum value listed in the table below.
Vendor Fix(es):
Tivoli Storage Productivity Center APAR Fixes
Affected TPC Version |
APAR |
Fixed TPC Version |
Availability |
5.1.x |
IC95921 |
5.1.1.2 |
September 2013 |
4.2.x
4.1.x |
IC95922 |
4.2.2.170 (FP4) |
July 2013 |
Latest Downloads for Tivoli Storage Productivity Center
Workaround(s):
None
Mitigation(s):
None
REFERENCES:
RELATED INFORMATION:
ACKNOWLEDGEMENT:
None
CHANGE HISTORY:
None
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
See more details here