The fix seems to be to install TSM Server 6.3.4-- which has been out for so long, I installed it a month ago for unrelated reasons.
Oddly, the list of APARs fixed in 6.3.4 doesn't include IC82487. Presumably IBM wasn't discussing this APAR until something happened. At least I can tell my current client, we're ahead of this one! Hope this helps, Nick On Wednesday, December 4, 2013, Roger Deschner wrote: > On Monday IBM sent a Flash to many of us announcing a security > vulnerability in the TSM Server. Regular non-administrator end-users on > a multi-user system can restore files belonging to other users, > including userid "root". For instance, this could be a Unix system that > hosts shell accounts. Dissecting the CVSS scoring reveals "Access > Complexity: Low" and "Authentication: None" - which basically means > anyone can do it. Obviously, this is an opportunity for a breach of > confidentiality. > > If you back up any multi-user clients which have non-administrative > accounts, this applies to you. It definitely applied to us, so I updated > all our TSM server instances immediately. > > The Flash containing the full description and a list of fixing releases > is at http://www-01.ibm.com/support/docview.wss?uid=swg21657726 > > Kudos to IBM for making well-tested fixes widely available before > publishing the vulnerability, and also for announcing it after the > Thanksgiving holiday rather than before. > > Roger Deschner University of Illinois at Chicago > [email protected]<javascript:;> > ======I have not lost my mind -- it is backed up on tape somewhere.===== >
