ADSM-L

Re: [ADSM-L] Fixing level for ASNODENAME vulnerability

2016-02-25 07:06:36
Subject: Re: [ADSM-L] Fixing level for ASNODENAME vulnerability
From: Henrik Ahlgren <pablo AT SEESTIETO DOT COM>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Thu, 25 Feb 2016 14:04:36 +0200
Is the IBM Security Bulletin correct when it does not list Windows as a
vulnerable platform?

BTW, where can I find a more detailed description about what does this
mean exactly: "The Tivoli Storage Manager server fails to adequately
check the authorization of client sessions using the ASNODENAME option
and runs the session as an authorized session. As a result, unauthorized
users with proxy authority can generate and retrieve backup data that
they would otherwise not be allowed to write or access."

Any node with granted proxy authority to some target can read data from
any target or what? I find this description about the vulnerability
quite vague.

On Wed, Feb 24, 2016, at 10:32 PM, Thomas Denier wrote:
> We are trying to figure out how to deal with the bug described in
> http://www-01.ibm.com/support/docview.wss?uid=swg21975957. The document
> at that URL includes a table with information about the availability of
> fixes for various server code levels. The row for TSM 6.3 has a cell
> stating that the fixing level is 6.3.5.1. Two cells to the right in the
> same row customers are advised to contact IBM support and request
> 6.3.5.110 or later. Am I missing something that makes it possible for the
> two cells to be logically compatible?
>
> Thomas Denier
> Thomas Jefferson University
> The information contained in this transmission contains privileged and
> confidential information. It is intended only for the use of the person
> named above. If you are not the intended recipient, you are hereby
> notified that any review, dissemination, distribution or duplication of
> this communication is strictly prohibited. If you are not the intended
> recipient, please contact the sender by reply email and destroy all
> copies of the original message.
>
> CAUTION: Intended recipients should NOT use email communication for
> emergent or urgent health care matters.

<Prev in Thread] Current Thread [Next in Thread>