There have been 3-4 security vulnerabilities recently for either Linux or all Unix and Linux clients, all related to the setuid "dsmtca" utility, with some overlap in versions (6.3-ish, IIRC) for some of the issues.
For older/unsupported (or can't-yet-be-updated) clients, the workaround has been to restrict permissions on "dsmtca" (either remove the setuid bit entirely, or limit access to it to trusted users via group permissions or, I suppose, ACLs). The impact of the workaround is that non-root users without explicit (e.g. group-based) permissions for "dsmtca" won't be able to use the TSM client. We used this workaround for our 6.2 clients until the 6.2.5.4 release, which wasn't initially available. (The advisories previously said to contact support for the fix, which I did; they published 6.2.5.4 a couple weeks later. I suspect the devs were hoping they could get away with not building a 6.2 release with the fixes, since 6.2 drops from support in April... :-) ) =Dave On 02/25/2015 02:00 PM, Zoltan Forray wrote: > Where are you getting the bulletins/alerts from? I wouldn't have know > about it if it wasn't for your posting. I have passed this on to my folks > - we too have old clients going back to 5.3 and older (IRIX?) > > On Wed, Feb 25, 2015 at 12:55 PM, Thomas Denier <[email protected]> > wrote: > >> The body of the bulletin I received states that the affected platforms are >> AIX, HP-UX, Linux, Solaris, and Mac. >> >> -----Original Message----- >> From: ADSM: Dist Stor Manager [mailto:[email protected]] On Behalf Of >> Zoltan Forray >> Sent: Wednesday, February 25, 2015 12:12 PM >> To: [email protected] >> Subject: Re: [ADSM-L] Privilege escalation bug >> >> Does not specifically say if it includes SOLARIS (only says "*UNIX, Linux, >> and OS X allows local users to gain privileges via unspecified vectors.*"). >> Do I assume since it says "UNIX" SOLARIS is includes? We have some old >> Domino Solaris boxes (supposed to go away some time soon....) still running >> 6.1.3.... >> >> >> >> On Wed, Feb 25, 2015 at 10:56 AM, Thomas Denier >> <[email protected]> wrote: >> >>> I received a security bulletin from IBM yesterday regarding "Tivoli >>> Storage Manager Stack-based Buffer Overflow Elevation of Privilege: >>> CVE-2014-6184". The affected version/release combinations listed in >>> the bulletin run from 5.4 to 6.3. We still have one Linux system with >>> 5.3 client code. Can I treat the list of affected releases as an >>> explicit assurance that the 5.3 client does not have the vulnerability >>> discussed in the bulletin? The alternative possibility that worries me >>> is that 5.4 is the oldest level IBM thought it worthwhile to check. >>> -- Hello World. David Bronder - Systems Architect Segmentation Fault ITS-EI, Univ. of Iowa Core dumped, disk trashed, quota filled, soda warm. [email protected]
