Attackers could exploit two security flaws in IBM Tivoli Storage Manager to access sensitive data, but the computing giant has released security updates.
IBM said in a security advisory that two security holes plague the IBM Tivoli Storage Manager (TSM) client, affecting the Web Client GUI, CAD-managed scheduling and server-initiated prompted scheduling. The first problem is that a buffer overrun can occur in the Client Acceptor Daemon (CAD). Attackers could exploit this to crash the operating system or run malicious code. The second problem is that under certain conditions, use of server-initiated prompted scheduling could allow attackers unauthorized access to the client's data.
IBM said the flaws affect three client interfaces: the Web client GUI, which uses the CAD, Backup-Archive client scheduling using the CAD; and Backup-Archive server-initiated prompted scheduling.
"All other client interfaces (such as client-initiated traditional client scheduling), and the TSM Server, are unaffected," the vendor said in its advisory. "IBM is issuing client updates to address the vulnerabilities in all supported releases."
Until IT shops are able to install the security update, IBM recommends they do not use server-initiated prompted scheduling; do not start up or use the CAD; do not use the Web client; and use client-initiated traditional client scheduling instead of CAD-managed scheduling.
The company has also fixed a smaller flaw in IBM Rational ClearQuest, which attackers could exploit to corrupt data. The vulnerability affects Microsoft SQL Server and IBM DB2-based ClearQuest databases.
IBM has issued a test fix, available from Rational ClearQuest Support.
Because the ClearQuest flaw can only be exploited locally, Danish vulnerability clearinghouse Secunia labeled the threat "less critical" in its Secunia SA26899 advisory.