The fix seems to be to install TSM Server 6.3.4-- which has been out for so
long, I installed it a month ago for unrelated reasons.
Oddly, the list of APARs fixed in 6.3.4 doesn't include IC82487. Presumably
IBM wasn't discussing this APAR until something happened.
At least I can tell my current client, we're ahead of this one!
Hope this helps,
Nick
On Wednesday, December 4, 2013, Roger Deschner wrote:
> On Monday IBM sent a Flash to many of us announcing a security
> vulnerability in the TSM Server. Regular non-administrator end-users on
> a multi-user system can restore files belonging to other users,
> including userid "root". For instance, this could be a Unix system that
> hosts shell accounts. Dissecting the CVSS scoring reveals "Access
> Complexity: Low" and "Authentication: None" - which basically means
> anyone can do it. Obviously, this is an opportunity for a breach of
> confidentiality.
>
> If you back up any multi-user clients which have non-administrative
> accounts, this applies to you. It definitely applied to us, so I updated
> all our TSM server instances immediately.
>
> The Flash containing the full description and a list of fixing releases
> is at http://www-01.ibm.com/support/docview.wss?uid=swg21657726
>
> Kudos to IBM for making well-tested fixes widely available before
> publishing the vulnerability, and also for announcing it after the
> Thanksgiving holiday rather than before.
>
> Roger Deschner University of Illinois at Chicago rogerd AT uic DOT
> edu<javascript:;>
> ======I have not lost my mind -- it is backed up on tape somewhere.=====
>
|