Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @

EGI CSIRT:Alerts/tsm-2010-12-16

From EGIWiki
Revision as of 14:13, 16 December 2010 by Ocalladw (talk | contribs)
Jump to navigation Jump to search

This Advisory is a DRAFT

** WHITE information - Unlimited distribution allowed                       ** 
** see for distribution restrictions **


Title:       HIGH root vulnerabilities in Tivoli Storage Manager (TSM) client software [EGI-ADV-20101216] TLP:WHITE
Date:        2010-12-16



Multiple vulnerabilities have been found in IBM Tivoli Storage Manager (TSM) client software.
This is a HIGH risk for the EGI infrastructure as a whole, but is CRITICAL for sites running the vulnerable software.

A patch is available from the vendor (see link below).


One of the vulnerabilities would allow unauthorized users with network access to execute commands.
The commands could, for example, allow the attacker to read, copy, alter, or delete files on the client machine.

The other vulnerabilities would allow a local user to read, copy, alter, or delete files, or to 
replace system files on the client with arbitrary content.

Risk Category

This issue has been assessed as HIGH by the EGI CSIRT for the EGI infrastructure as a whole
but is CRITICAL for sites running the vulnerable software.

Affected Software

IBM Tivoli Storage Manager (TSM). RedHat packages are named TIVsm-*.

For each release, the vendor has provided the version numbers for vulnerable and fixed patch levels.

Release    Vulnerable versions        Fixed version
TSM 6.2 through    6.2.2
TSM 6.1 through    6.1.4
TSM 5.5 through   5.5.3
TSM 5.4 through


Site may wish to delete / move affected commands until a patch is applied:

rm /opt/tivoli/tsm/client/ba/bin/dsmtca

Component Installation information

Fixes and instructions are available from IBM, linked from the Alert at


Sites running IBM Tivoli Storage Manager should check if they are running a vulnerable version.

These sites should immediately apply the vendor patches.


This vulnerability was reported by IBM and Kryptos Logic.


IBM Alert:


2010-12-14 IBM alert published
2010-12-15 EGI CSIRT / RAT /SVG notified
2010-12-16 EGI advisory published

On behalf of the EGI CSIRT and SVG