Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.0302 Security Bulletin: IBM TS3500 Tape Library Update for Security Vulnerability in Web User Interface (CVE-2012-5767) 28 February 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM TS3500 Tape Library Publisher: IBM Operating System: Network Appliance Impact/Access: Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2012-5767 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004282 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: IBM TS3500 Tape Library Update for Security Vulnerability in Web User Interface (CVE-2012-5767) Document information 3584 UltraScalable Tape Library Version: Not Applicable Operating system(s): Platform Independent Reference #: S1004282 Modified date: 2013-02-22 Abstract Download an update to the TS3500 Tape Library which contains a fix for a security vulnerability that could allow unauthorized access to restricted actions. Content DESCRIPTION: An authorized user of the TS3500 web user interface could exploit a vulnerability that would give that user a higher level of access than originally granted. The IBM TS3500 tape library firmware has been updated to contain a fix for this vulnerability. CVEID: CVE-2012-5767 CVSS Base Score: 6.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/80272 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:P) AFFECTED PRODUCTS AND VERSIONS: All TS3500 tape libraries with firmware versions lower than C260. REMEDIATION: The recommended solution is to apply the fix, which is contained in firmware version C260 and above. Fix: Apply firmware version C260 or later, available from IBM Fix Central http://www-933.ibm.com/support/fixcentral/ Workaround(s): None Mitigation(s): Only provide remote login access to persons that can be trusted not to attempt to hack into a higher level of access permissions, or only provide remote login access to persons with administrator privileges (where there is no higher level access to hack into). REFERENCES: * Complete CVSS Guide * On-line Calculator V2 * CVE-2012-5767 * X-Force Vulnerability Database http://xforce.iss.net/ RELATED INFORMATION: IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog ACKNOWLEDGEMENT The vulnerability was reported to IBM by Narodowe Archiwum Cyfrowe (National Digital Archives). - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUS8HGe4yVqjM2NGpAQKrjhAAvfjakwfE2NNCkq9U64qvyWEcPnkmx5JY z8T5YUOEwSzdcqDNbJRG5CpoGKuFFjHMqaCPuszsO3KAFjoUkoBBWpSWmMbOamKP LxS555vEESKT+XH4MEeu6wMvaCzMJaaZnbFE0LgBNDWRdsxVIsYsuQ+6EOqSoWrz fIlnnrjlFo6WjDPvG4VAQEuacicLHyB7GuN07/J9lDSMv5IpkfArvT/3/SK8VHeX FjI80mO+201GpWy1AqMYcpIzrBi5ViB+UPNh/8NH+HwUaoJ3AQAPRwoHxePDYBYU a9l9gTfsV+1iYfpjvUme7C+dGZWUUCLkAmQewt21Z3WWrZhW/sBMHIP/93tLaQLK etIbMogzgITXESt7tEWcPDonw4YOhwHoHsHfKy+GinnwD4VFA+H140XnULUke7HY hQIMyhwo39qo/yJ7al5xD7Nn8qrgB5ocvWbZyygfrAnLVrwS1/Nav35+x9nzwlEf sT5sxMjAufNf2ncu9rfRi1D1ADsdo99W82tTgHyReHCXvvICswlOSN3d2Oj5MXIr qxbNuqHs2qfw53Wei2cUuCE6NFWxwGEm/ZiTftRaicKDsbd4rVdGjHsdlks7r/Z4 0xgtTGybEaUNhaSjU320ncFibzMnp0SN7e+UubeWJvkP48Bbe4q8tHZ5C5QnCcUM b6OuD8JpFyg= =jNPd -----END PGP SIGNATURE-----