Security Bulletin: Tivoli Storage Manager client encryption key password vulnerability (CVE-2014-4818)

Tivoli Storage Manager: Security bulletin

– TITLE: Security Bulletin: Tivoli Storage Manager client encryption key password vulnerability (CVE-2014-4818)

– URL: http://www.ibm.com/support/docview.wss?uid=swg21697022&myns=swgtiv&mynp=OCSSAT9S&mynp=OCSSSQWC&mynp=OCSSGSG7&mync=E&cm_sp=swgtiv-_-OCSSAT9S-OCSSSQWC-OCSSGSG7-_-E

– ABSTRACT: A vulnerability in the IBM Tivoli Storage Manager (TSM) client would allow a local user to obtain the encryption key password.

Security Bulletin

Summary

A vulnerability in the IBM Tivoli Storage Manager (TSM) client would allow a local user to obtain the encryption key password.

Vulnerability Details

CVEID: CVE-2014-4818
DESCRIPTION: 

IBM Tivoli Storage Manager client contains a vulnerability that would allow a local user to obtain the encryption key password used for backups and restores.

CVSS Base Score: 2.10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/95451 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

  • TSM 7.1.0.0 through 7.1.1.x
  • TSM 6.4.0.0 through 6.4.2.x
  • TSM 6.3 all versions
  • TSM 6.2 all versions
  • TSM 6.1 all versions
  • TSM 5.5 all versions
  • TSM 5.4 all versions

Remediation/Fixes

TSM
Release
First Fixing
VRMF Level
APAR Remediation/First Fix
7.1 7.1.2 IT06016 A fix will be provided for 7.1.2 on 4/17/2015 or apply the workaround.
6.4 6.4.3 IT06016 A fix will be provided for 6.4.3 on 7/14/2015 or apply the workaround.
6.3, 6.2,
6.1, 5.5, and 5.4
Upgrade to fixing release or apply the workaround.

Workarounds and Mitigations

Step 1

      Create a user group (e.g., tsmusers) that includes all users that need to use the TSM client.

    Step 2

        Restrict access to the stored encryption key password by restricting access to the client Trusted Communications Agent (TCA) by using the user group created in Step 1.
        1. Use chgrp to change the ownership of dsmtca to include the tsmusers group.
          chgrp tsmusers dsmtca
        2. Use chmod to set the execute bit for the group so that anyone in the tsmusers group can run dsmtca.
          chmod 750 dsmtca
        3. Use chmod to set the SUID bit for dsmtca so that users in the group can run it with elevated privileges.
          chmod u+s dsmtca
        4. Verify that the group has the execute bit set for the dsmtca file using:
          type ls -l dsmtca

          The output from this command shows that the SUID bit (s) is set for dsmtca in the user field and that the execute bit (x) is set in the group field.
          -rwsr-x— 1 root tsmusers 13327961 2011-05-19 08:34 dsmtca

      Get Notified about Future Security Bulletins

      References

      Related information

      Acknowledgement

      The vulnerability was reported to IBM by Bartlomiej Balcerek from WCSS CSIRT

      *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

      Disclaimer

      According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

      Cross reference information
      Segment Product Component Platform Version Edition
      Storage Management Tivoli Storage Manager Extended Edition AIX, HP-UX, Linux, Solaris, Mac OS 5.4, 5.5, 6.1, 6.2, 6.3, 6.4, 7.1 All Editions
      Storage Management IBM System Storage Archive Manager AIX, HP-UX, Linux, Solaris, Mac OS 6.2, 6.3, 6.4, 7.1 All Editions

      TIPS: FLRT reports now include security and HIPER data

      https://ibm.biz/BdRh6p

      You’ve asked for it, and IBM delivered!

      FLRT continues to provide update and upgrade recommendations based on your input level, usually your current level, for Power firmware, HMC, AIX, VIOS and many more products.

      Now, in addition to the recommendations, you’ll see any security or HIPER fixes that have been released ‘on top’ of those levels, including your input level.

      This provides you with options. First, you will be able to see what issues reside on each level. Based on this data, and the end of service dates, you can make decisions about updating or upgrading or staying on your current level.

      Here’s an example of an AIX report:

      image

      Notice that the information is provided for each APAR or security advisory, with direct links. Or, you can see the information in the easy to use Security APARs or HIPER APARs tables. These tables also list the service packs that the fixes will be released in, so you can plan accordingly.

      The report also provides abstract information if you hover over the APAR or CVE number with your cursor.  This allows you to get a quick view before having to click on the link.  Very useful!

      Here’s a quick example of a report you can try this with:  http://www-304.ibm.com/webapp/set2/flrt/report?fcn=power&plat=power&mtm=9179-MHC&fw=AM740_100&hmc=V7+R740&p1.parnm=Partition+1&p1.os=aix&p1.aix=6100-07-07&p2.parnm=Partition+2&p2.os=vios&p2.vios=2.2.2.2&reportname=&btnGo=Submit

      Here’s an example for a VIOS partition:

      image

      I hope you enjoy this new function and please let us know what you think with our feedback button or take our FLRT survey to let us know what other options you would like to see added to FLRT.

      Thanks!!!

      Julie Craft

      FLRT architect

      Austin, TX

      su to NIS user fails with error 3004-503 cannot set process credentials.

      Error description

      su to NIS user fails with error 3004-503 cannot set
      process creditials. This happens when system is upgraded
      to 6.1 Tl09 SP01
      Local fix
      Problem summary

      **************************************************************
      * USERS AFFECTED:
      * Systems running the 6100-09 Technology Level with
      * bos.rte.security at the 6.1.9.0 or 6.1.9.1 level.
      **************************************************************
      *PROBLEM DESCRIPTION:
      Switching to a NIS user using the ‘su’ command will fail with:  3004-503 cannot set process creditials.

      This only affects customers using NIS (Network Information Service).
      **************************************************************
      * RECOMMENDATION:
      * Install APAR IV53944.
      * Prior to fix availability, an interim fix is available from
      * either
      * ftp://aix.software.ibm.com/aix/ifixes/iv53944/
      * https://aix.software.ibm.com/aix/ifixes/iv53944/
      **************************************************************
      Problem conclusion

      In the processing of NIS user credentials, the logic to find
      stale cached records has been corrected so that the record is
      not assigned an invalid pointer.
      Temporary fix

      *********
      * HIPER *
      *********
      Comments

       

      APAR information  
      APAR number IV53944
      Reported component name AIX 610 STD EDI
      Reported component ID 5765G6200
      Reported release 610
      Status CLOSED PER
      PE YesPE
      HIPER YesHIPER
      Submitted date 2014-01-13
      Closed date 2014-01-27
      Last modified date 2014-03-28

       

      APAR is sysrouted FROM one or more of the following:

      IV53884

      AIX5.3 Support for POWER7+ Servers

      AIX 5.3 TL12, SP8 w/Service Extension

      will extend support for these Power7+:

      o  IBM Power 710 server (8231-E1D)
      o  IBM Power 720 server (8202-E4D)
      o  IBM Power 730 server (8231-E2D)
      o  IBM Power 740 server (8205-E6D)
      o  IBM Power 750 server (8408-E8D)
      o  IBM Power 760 server (9109-RMD)

      Must have a valid AIX Software Maint Agreement (SWMA) to call IBMSERV for AIX support. No SWMA?  No support.

      Also, to get AIX 5.3 support, you MUST have an Extended Service contract.

      213-146 – AIX5.3 Support for p7+ Servers

      IBM PowerHA SystemMirror for AIX Adds Support for the New IBM Power7+ 710/730 (8231-E1D/E2D)

      IBM PowerHA SystemMirror for AIX Adds Support for the New IBM Power7+ 710/730 (8231-E1D/E2D)

      May 02, 2013IBM PowerHA SystemMirror for AIX* adds support for the new IBM Power7+ 710/730 (8321-E1D/E2D).

      Please refer to the following information for support details.

      Power 7+ 710/730 (8321-E1D/E2D)
      AIX V6.1
      AIX V7.1
      PowerHA SystemMirror V6.1
      PowerHA V6.1 TL 6
      AIX V6.1 TL 8
      PowerHA V6.1 TL 6
      AIX V7.1 TL 2
      PowerHA SystemMirror V7.1
      PowerHA V7.1.2
      AIX 6.1 TL 8
      PowerHA V7.1.2
      AIX V7.1 TL 2

      Clients are advised to obtain the latest service updates for this support.

      Notes:

      • Integrated Virtualization Manager (IVM) is also supported.

      IBM Service can be obtained from the IBM Electronic Fix Distribution site at: 

      http://www.ibm.com/support/fixcentral/

      For questions or concerns, please send a note to HA Feedback at:

      HA Solutions Feedback/Poughkeepsie/IBM or hafeedbk@us.ibm.com

      * Trademark or registered trademark of International Business Machines Corporation.
      Other company, product, and service names may be trademarks or service marks of others.

       

      ALERT: AIX v6.1 TL8 SP1 missing requisite fileset – devices.pciex.151438c1.rte.6.1.7.15

      This alert comes from my mentor, fix central will fix it sooner or later…

      I personally just encountered a packaging error in the AIX v6.1 TL8 SP1 package on Fix Central web site. This was just released last week.

      oslevel -s will NOT return 6100-08-01-12xx after completing update_all with no errors

      oslevel -rl 6100-08 returns:

      / #===> oslevel -rl 6100-08
      Fileset Actual Level Recommended ML
      ——————————————————
      devices.pciex.151438c1.rte 6.1.7.0 6.1.7.15

      oslevel -s returns:

      6100-07-03-1207

      Since the missing fileset update is actually part of TL7, you have to open a PMR to have them extract and send you the missing fileset update, or download the entire ML7 package just to extract the single missing fileset update.

      Flash Update: Update for AIX 7.1 and 6.1 Daylight Savings Time Issue

      ****UPDATE****

      Abstract

      Notice: This document was originally published March 2012. It has been updated to reflect the availability of formal service packs for the reported problem and to provide additional details.

      THERE IS NO NEW DST ISSUE. UPDATES TO THIS DOCUMENT ARE TO PROVIDE MORE CLARIFICATION ON DETERMINING IF THIS PROBLEM AFFECTS YOUR SYSTEMS AND TO UPDATE THE LIST OF AFFECTED AIX LEVELS.

      IF ACTION HAS ALREADY BEEN TAKEN FROM THE PREVIOUS UPDATE IN MARCH 2012 AND YOUR SYSTEMS ARE NOT AT ONE OF THE AFFECTED LEVELS IDENTIFIED IN THIS UPDATE, THEN NO FURTHER ACTION IS NEEDED.

      AIX systems or applications that use the POSIX time zone format may not change time properly at Daylight Savings Time start or end dates. Applications that use the AIX date command, or time functions such as localtime() and ctime(), on these systems may be affected.

      Systems and applications using the Olson time zone format are NOT affected. Do not take any action if you use Olson format.

      ————————————————————————————————-

      Flash Update: Update for AIX 7.1 and 6.1 Daylight Savings Time Issue

      IBM has updated the Alert (Flash) document with additional content, including information on additional levels affected. Click on the link for more information.

      http://www.ibm.com/support/docview.wss?uid=isg3T1013017

      Your system is using a POSIX format time zone and the system or an application on the system is using a custom DST setting.

      Possible Action Required: System time may not change properly at DST start/end dates on AIX 7.1 and AIX 6.1

      Flash (Alert)

      Abstract

      Notice: This document was originally published March 2012. It has been updated to reflect the availability of formal service packs for the reported problem.

      AIX systems or applications that use the POSIX time zone format may not change time properly at Daylight Savings Time start or end dates. Applications that use the AIX date command, or time functions such as localtime() and ctime(), on these systems may be affected.

      Systems and applications using the Olson time zone format are NOT affected. Do not take any action if you use Olson format.

      Content

       

      >>> Indicates changes made on 2012-10-24

      Levels affected

      If your country observes Daylight Savings Time, the information in this document may pertain to you. You should read this document carefully to determine if you need to take action.

      This problem is exposed on your system if you have both of these underlying conditions:

      1. Your system is at one of the affected AIX levels (listed below)
      2. Your system is using a POSIX format time zone

      AIX levels affected

      The following AIX levels are the only levels affected by this issue. If your system is not at one of these levels, do not take any action.

      • 7100-01-03-1207
      • 7100-01-02-1150
      • 7100-01-01-1141
      • 6100-07-03-1207
      • 6100-07-02-1150
      • 6100-07-01-1141
      • >>> 6100-06-07-1207
      • 6100-06-06-1140
      • >>> 6100-05-08-1207
      • 6100-05-07-1140
      • 6100-04-11-1140

      Determining if you are using the POSIX Time Zone format

      If your system is at one of the affected AIX levels, you need to evaluate whether you are using the POSIX time zone format or the Olson time zone format.

      POSIX time zone format is the traditionally used format for AIX systems and provides a slight performance advantage over the Olson time zone format. The capability to use the Olson time zone format was initially included with AIX 6.1 in 2007.

      If your system is not using POSIX time zone format OR your system is not at one of the affected AIX levels, then your system is not exposed to the problem and you do not need to take action.

      To determine if you are using the POSIX time zone format, enter this command:
      echo $TZ

      Sample results Description
      Europe/Paris Your system is using Olson time format and your system is not affected by this problem.
      CET-1CEST
      GMT0BST
      EST5EDT
      Your system is using POSIX time zone format.
      CET-1CEST,M3.5.0/02:00:00,M10.5.0/03:00:00 Your system is using the POSIX Time format with customized Daylight Savings Time override values.

      When to take action

      If your system is using POSIX time zone format and is at one of the affected AIX levels and you observe a Daylight Savings Time change then you need to take action before your next change.

      How does this problem affect my applications?

      Applications that are sensitive to time and date information may be negatively affected on AIX systems using the POSIX time zone format. Examples of applications that are time sensitive include SAP and Tivoli Workload Scheduler. The AIX date command is also affected.

      If you use Olson time zone format, your applications are not affected. Do not take any action.

      Recommended actions

      Do one of the following options.

      Option 1. Change the time zone to use Olson format

      Change the time zone format to use Olson format instead of POSIX format.

      You MUST reboot to ensure that applications see the changes, regardless of your AIX level. The changes are stored in /etc/environment and are loaded at boot time. See the man page for the chtz command or use smitty chtz_date. More information about the use of Olson time format is included below

      OR

      Option 2. Install the appropriate Service Pack

      If changing your system to use Olson time zone format is not an option for you, you can install a service pack.

      Installing the service pack requires that you reboot. If you have previously installed an iFix for this problem and you choose to install a Service Pack, you will be required to deinstall the iFix first. For instructions on deinstalling an iFix, read Managing Interim Fixes on AIX.

      Downloadable packages
      Level APAR Service Pack Requires reboot?
      7100-01-03-1207 IV16514 7100-01-04 or higher Yes
      7100-01-02-1150 IV16514 7100-01-04 or higher Yes
      7100-01-01-1141 IV16514 7100-01-04 or higher Yes
      6100-07-03-1207 IV16587 6100-07-04 or higher Yes
      6100-07-02-1150 IV16587 6100-07-04 or higher Yes
      6100-07-01-1141 IV16587 6100-07-04 or higher Yes
      >>> 6100-06-07-1207 IV16567 6100-06-08 or higher Yes
      6100-06-06-1140 IV16567 6100-06-08 or higher Yes
      >> 6100-05-08-1207 IV16568 6100-05-09 or higher Yes
      6100-05-07-1140 IV16568 6100-05-09 or higher Yes
      6100-04-11-1140 IV16569 Not available *

      (*) Normal service ended for this level on November 2011. IBM recommends upgrading to a higher AIX 6.1 level or migrating to AIX 7.1.

      Do I have to reboot?

      Yes. Both the Option 1 and Option 2 require a reboot.

      VIOS potential impact is minor

      The PowerVM Virtual I/O Server (VIOS) is also affected by this problem but the potential impact is reduced because only VIOS times would be affected.

      Olson time zone format versus POSIX time zone format

      The TZ environment variable is used to represent time zone information. The value of TZ can be specified in one of the two formats in AIX: POSIX or Olson.

      POSIX format specification

      The TZ variable specified in POSIX format contains all the information required to identify time zone, specify when to switch DST on and off, and specify the offset from UTC (Universal Time). Note that the system internally does everything in UTC time, and any display of time to the users is a computed offset depending on the time zone and DST rules specified.

      The advantage of POSIX is that you can easily and explicitly specify time zone and DST details manually, however you wish. The performance of applications that call time functions will be faster than using Olson specification. And whenever a nation’s government decides to change its DST rules, the POSIX format is simpler because you can simply change the variable definition. There is no need to install of any new patch to update time database files, as Olson requres.

      Note: Clients using POSIX time format in regions that do not use the US DST time change will always use Customized override values for Daylight SavingsTime because the default POSIX time zones change DST on the US dates.

      A disadvantage with the POSIX is that it cannot track the history of time zone-related changes. When a government changes the rules and you update your TZ variable, it is assumed to be the same DST rule for all years past and future. Another disadvantage is pure readability: Olson uses known names of Cities or Regions, while POSIX format may look cryptic to anyone unfamiliar with it.

      Olson format specification

      This style of specification overcomes the disadvantages of the POSIX approach. In this method a database is maintained for each time zone, with details of history of time zone and DST changes. You can specify the time zone name in a simple, more human-friendly format, such as “America/Sao_Paulo” rather than specifying the more complex TZ=GRNLNDST3GRNLNDDT,M10.3.0/00:00:00,M2.4.0/00:00:00.

      The advantage with this approach is that the time zone name is easy to specify and Olson keeps a history of time zone and DST related changes.

      The disadvantage with this approach is that Olson has to load the database file for each time zone specified, and then parse it to find the time zone and DST details. This process can have a modest performance penalty compared to POSIX format . Additionally, when a government changes a time zone or DST rule, a new patch becomes necessary for the Olson time database file.

      Olson time zone format has been available in AIX since Version 6.1 in 2007 and has been in use in client environments for many years.

      Additional information on AIX levels at risk

      To determine if your system is at risk, run the following commands and evaluate the output against the list of affected levels .

      lslpp -Ou -qlc bos.rte.date
      lslpp -Ou -qlc bos.rte.libc

      If any filesets match any of the following levels, you are at risk.

      Affected levels
      libc Library Date Control Commands AIX oslevel -s
      bos.rte.libc 7.1.1.2 bos.rte.date 7.1.1.2 7100-01-03-1207
      bos.rte.libc 7.1.1.1 bos.rte.date 7.1.1.1 7100-01-02-1150
      bos.rte.libc 7.1.1.0 bos.rte.date 7.1.1.0 7100-01-01-1141
      bos.rte.libc 6.1.7.2 6100-07-03-1207
      bos.rte.libc 6.1.7.1 6100-07-02-1150
      bos.rte.libc 6.1.7.0 6100-07-01-1141
      >>> bos.rte.libc 6.1.6.17 6100-06-07-1207
      bos.rte.libc 6.1.6.16 6100-06-06-1140
      >>> bos.rte.libc 6.1.5.8 6100-05-08-1207
      bos.rte.libc 6.1.5.7 6100-05-07-1140
      bos.rte.libc 6.1.4.10 6100-04-11-1140

      PowerHA: PREVENT EMAIXOS (HARMAD) FROM RUNNING IN HACMP ON AIX 6.1

      Many thanks to a great customer for having me add this to the blog…

      We’ve recently run into this and it’s pretty much benign, but annoying.  The apar’s not new (2010), but our version of Hacmp did not have the apar in it.  Only caveat I found is that it appears this subsystem is still required for Oracle 9i (which explains why it’s not part of the standard release of hacmp).

      Link:  http://www.ibm.com/support/docview.wss?uid=isg1IZ86787

      IZ86787: PREVENT EMAIXOS (HARMAD) FROM RUNNING IN HACMP ON AIX 6.1

      Error description

      This is a code change in RSCT to stop running the emaixos

      subsystem (harmad process) in PowerHA clusters on AIX 6.1.

      See APAR IZ47424 for more background.

      Problem summary

      While existing levels of PowerHA may still be supporting

      applications which are dependent on the RSCT subsystem

      “emsvcs” (haemd process), its supporting subsystem “emaixos”

      (harmad process) is not needed even on those clusters.

       

      This harmad process has also been the source of most of the

      recent incompatability issues with the latest levels of

      AIX 6.1, generating error messages or core dumps which demand

      attention and time from system admins even though the process

      itself no longer provides useful services.

      FLASH: AIX NFSv4 vulnerability

       

      VULNERABILITY: AIX NFSv4 vulnerability

      PLATFORMS: AIX 5.3, 6.1, and 7.1 releases

      SOLUTION: Apply the fix as described below.

      THREAT: See below

      CVE Numbers: CVE-2012-4817

      Reboot required? YES
      Workarounds? NO
      Protected by FPM? NO
      Protected by SED? NO

      ===============================================================================
      DETAILED INFORMATION

      I. DESCRIPTION ( From cve.mitre.org)

      GID in NFSv4 is loosely enforced.

      II. CVSS

      CVSS Base Score: 5
      CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/78431 for the
      current score
      CVSS Environmental Score*: Undefined
      CVSS String: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

      III. PLATFORM VULNERABILITY ASSESSMENT

      Note: To use the following commands on VIOS you must first
      execute:

      oem_setup_env

      To determine if your system is vulnerable, execute the following
      command:

      lslpp -L bos.net.nfs.client

      The following fileset levels are vulnerable:

      AIX Fileset Lower Level Upper Level
      ——————————————————————
      bos.net.nfs.client 5.3.12.0 5.3.12.5
      bos.net.nfs.client 6.1.6.0 6.1.6.17
      bos.net.nfs.client 6.1.7.0 6.1.7.2
      bos.net.nfs.client 7.1.0.0 7.1.0.20
      bos.net.nfs.client 7.1.1.0 7.1.1.3

      IV. SOLUTIONS

      A. APARS

      IBM has assigned the following APARs to this problem:

      AIX Level APAR number Availability
      —————————————————
      5.3.12 IV17855 Available as of SP6
      6.1.6 IV10327 Available as of SP7
      6.1.7 IV11629 Available as of SP3
      7.1.0 IV26436 12/12/12 sp8
      7.1.1 IV12169 Available as of SP4

      Subscribe to the APARs here:

      http://www.ibm.com/support/docview.wss?uid=isg1IV17855
      http://www.ibm.com/support/docview.wss?uid=isg1IV10327
      http://www.ibm.com/support/docview.wss?uid=isg1IV11629
      http://www.ibm.com/support/docview.wss?uid=isg1IV26436
      http://www.ibm.com/support/docview.wss?uid=isg1IV12169

      By subscribing, you will receive periodic email alerting you
      to the status of the APAR, and a link to download the fix once
      it becomes available.

      B. FIXES

      Fixes are available. The fixes can be downloaded via ftp
      from:

      ftp://aix.software.ibm.com/aix/efixes/security/nfsv4_fix1.tar

      The link above is to a tar file containing this signed
      advisory, fix packages, and PGP signatures for each package.
      The fixes below include prerequisite checking. This will
      enforce the correct mapping between the fixes and AIX
      Technology Levels.

      AIX Level Interim Fix (*.Z)
      ——————————————————————-
      7.1.0.7 IV26436s07.120907.epkg.Z

      VIOS Level Interim Fix (*.Z)
      ——————————————————————-
      2.2.1.4-FP-25 SP-02 Included in current SP

      To extract the fixes from the tar file:

      tar xvf nfsv4_fix1.tar
      cd nfsv4_fix1

      Verify you have retrieved the fixes intact:

      The checksums below were generated using the
      “csum -h SHA1” (sha1sum) command is the followng:

      csum -h SHA1 (sha1sum) filename
      ——————————————————————
      8f42e3c1a5eb3a0d73d7be8d38265544f9abd866 IV26436s07.120907.epkg.Z

      To verify the sum, use the text of this advisory as input to sha1sum.
      For example:

      csum -h SHA1 -i Advisory.asc
      sha1sum -c Advisory.asc

      These sums should match exactly. The PGP signatures in the tar
      file and on this advisory can also be used to verify the
      integrity of the fixes. If the sums or signatures cannot be
      confirmed, contact IBM AIX Security at
      security-alert@austin.ibm.com and describe the discrepancy.

      C. FIX AND INTERIM FIX INSTALLATION

      IMPORTANT: If possible, it is recommended that a mksysb backup
      of the system be created. Verify it is both bootable and
      readable before proceeding.

      To preview a fix installation:

      installp -a -d fix_name -p all # where fix_name is the name of the
      # fix package being previewed.
      To install a fix package:

      installp -a -d fix_name -X all # where fix_name is the name of the
      # fix package being installed.

      Interim fixes have had limited functional and regression
      testing but not the full regression testing that takes place
      for Service Packs; however, IBM does fully support them.

      Interim fix management documentation can be found at:

      http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html

      To preview an interim fix installation:

      emgr -e ipkg_name -p # where ipkg_name is the name of the
      # interim fix package being previewed.

      To install an interim fix package:

      emgr -e ipkg_name -X # where ipkg_name is the name of the
      # interim fix package being installed.

      V. WORKAROUNDS

      There are no workarounds.

      VI. CONTACT INFORMATION

      If you would like to receive AIX Security Advisories via email,
      please visit:

      http://www.ibm.com/systems/support

      and click on the “My notifications” link.

      To view previously issued advisories, please visit:

      http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd

      Comments regarding the content of this announcement can be
      directed to:

      security-alert@austin.ibm.com

      To obtain the PGP public key that can be used to communicate
      securely with the AIX Security Team you can either:

      A. Send an email with “get key” in the subject line to:

      security-alert@austin.ibm.com

      B. Download the key from our web page:

      http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgpkey.txt

      C. Download the key from a PGP Public Key Server. The key ID is:

      0x28BFAA12

      Please contact your local IBM AIX support center for any
      assistance.

      eServer is a trademark of International Business Machines
      Corporation. IBM, AIX and pSeries are registered trademarks of
      International Business Machines Corporation. All other trademarks
      are property of their respective holders.

      VII. ACKNOWLEDGMENTS

      IBM discovered and fixed this vulnerability as part of its
      commitment to secure the AIX operating system.

      VIII. REFERENCES:

      Complete CVSS Guide: http://www.first.org/cvss/cvss-guide.html
      On-line Calculator V2:
      http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
      X-Force Vulnerability Database: http://xforce.iss.net/xforce/xfdb/78431
      CVE-2012-4817: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4817

      *The CVSS Environment Score is customer environment specific and will
      ultimately impact the Overall CVSS Score. Customers can evaluate the
      impact of this vulnerability in their environments by accessing the links
      in the Reference section of this Flash.

      Note: According to the Forum of Incident Response and Security Teams
      (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry
      open standard designed to convey vulnerability severity and help to
      determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES
      “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF
      MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE
      RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY
      VULNERABILITY.