News Stay informed about the latest enterprise technology news and product updates.

IBM patches security flaws in Tivoli Storage Manager

Attackers could exploit two security flaws in IBM Tivoli Storage Manager to access sensitive data, but the computing giant has released security updates.

Attackers could exploit two security flaws in IBM Tivoli Storage Manager to access sensitive data, but the computing...

giant has released security updates.

IBM said in a security advisory that two security holes plague the IBM Tivoli Storage Manager (TSM) client, affecting the Web Client GUI, CAD-managed scheduling and server-initiated prompted scheduling. The first problem is that a buffer overrun can occur in the Client Acceptor Daemon (CAD). Attackers could exploit this to crash the operating system or run malicious code. The second problem is that under certain conditions, use of server-initiated prompted scheduling could allow attackers unauthorized access to the client's data.

IBM said the flaws affect three client interfaces: the Web client GUI, which uses the CAD, Backup-Archive client scheduling using the CAD; and Backup-Archive server-initiated prompted scheduling.

"All other client interfaces (such as client-initiated traditional client scheduling), and the TSM Server, are unaffected," the vendor said in its advisory. "IBM is issuing client updates to address the vulnerabilities in all supported releases."

Until IT shops are able to install the security update, IBM recommends they do not use server-initiated prompted scheduling; do not start up or use the CAD; do not use the Web client; and use client-initiated traditional client scheduling instead of CAD-managed scheduling.

The company has also fixed a smaller flaw in IBM Rational ClearQuest, which attackers could exploit to corrupt data. The vulnerability affects Microsoft SQL Server and IBM DB2-based ClearQuest databases.

IBM has issued a test fix, available from Rational ClearQuest Support.

Because the ClearQuest flaw can only be exploited locally, Danish vulnerability clearinghouse Secunia labeled the threat "less critical" in its Secunia SA26899 advisory.

Dig Deeper on Microsoft Patch Tuesday and patch management

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.