IBM patches security flaws in Tivoli Storage Manager

By Bill Brenner, Senior News Writer 25 Sep 2007 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Attackers could exploit two security flaws in IBM Tivoli Storage Manager to access sensitive data, but the computing giant has released security updates.

IBM said in a security advisory that two security holes plague the IBM Tivoli Storage Manager (TSM) client, affecting the Web Client GUI, CAD-managed scheduling and server-initiated prompted scheduling. The first problem is that a buffer overrun can occur in the Client Acceptor Daemon (CAD). Attackers could exploit this to crash the operating system or run malicious code. The second problem is that under certain conditions, use of server-initiated prompted scheduling could allow attackers unauthorized access to the client's data.

IBM said the flaws affect three client interfaces: the Web client GUI, which uses the CAD, Backup-Archive client scheduling using the CAD; and Backup-Archive server-initiated prompted scheduling.

"All other clien...

Tags: Security Patch Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Adobe vulnerability management: Arkin on the new threat landscape Microsoft seeks true 'responsible' vulnerability disclosure Microsoft: Vulnerability disclosure will be coordinated, rather than 'responsible' Adobe offers patch timetable for critical flaw Microsoft emphasizes three critical updates on patch-heavy Tuesday Shavlik moves patch management systems to the cloud Use virtual patching to ease short-staffed patch management procedures Faulty McAfee update hits Windows XP machines Adobe fixes 15 flaws in Reader, Acrobat Microsoft emergency patch addresses IE vulnerabilities, zero-day

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

t interfaces (such as client-initiated traditional client scheduling), and the TSM Server, are unaffected," the vendor said in its advisory. "IBM is issuing client updates to address the vulnerabilities in all supported releases."

Until IT shops are able to install the security update, IBM recommends they do not use server-initiated prompted scheduling; do not start up or use the CAD; do not use the Web client; and use client-initiated traditional client scheduling instead of CAD-managed scheduling.

The company has also fixed a smaller flaw in IBM Rational ClearQuest, which attackers could exploit to corrupt data. The vulnerability affects Microsoft SQL Server and IBM DB2-based ClearQuest databases.

IBM has issued a test fix, available from Rational ClearQuest Support.

Because the ClearQuest flaw can only be exploited locally, Danish vulnerability clearinghouse Secunia labeled the threat "less critical" in its Secunia SA26899 advisory.