ADSM-L

[ADSM-L] local fix for CVE-2016-8998

2017-02-27 08:56:25
Subject: [ADSM-L] local fix for CVE-2016-8998
From: Markus Engelhard <markus.engelhard AT BUNDESBANK DOT DE>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Mon, 27 Feb 2017 14:54:22 +0100
Dear all,

we have been thinking about a local quick fix for Security Bulletin: Buffer
Overflow from improperly formatted SELECT command in IBM Tivoli Storage
Manager (IBM Spectrum Protect) Server (CVE-2016-8998).
Gerd Becker and I have come across the following Idea that may ease the
preasure to update to 7.1.7.100 ff:

Define one empty domain "emptydomain"
Update admins who may safely use select statements, but with no other
authority to "grant authority adminname classes=policy domains=emptydomain"
set queryauth policy in the server otion file and bounce the server
instance

all other admins, such as node admin users will no longer be able to issue
select statements

Cheers,

Markus
<Prev in Thread] Current Thread [Next in Thread>
  • [ADSM-L] local fix for CVE-2016-8998, Markus Engelhard <=