=====================================================================

                           CERT-Renater

               Note d'Information No. 2013/VULN091
_____________________________________________________________________

DATE                : 01/03/2013

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running
                IBM TS3500 Tape Library firmware versions prior to C260.

======================================================================
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004282
______________________________________________________________________

Security Bulletin: IBM TS3500 Tape Library Update for Security
Vulnerability in Web User Interface (CVE-2012-5767)


Document information

3584 UltraScalable Tape Library


Version:
Not Applicable


Operating system(s):
Platform Independent

Reference #:
S1004282

Modified date:
2013-02-22


Abstract

Download an update to the TS3500 Tape Library which contains a fix for a
security vulnerability that could allow unauthorized access to
restricted actions.

Content


DESCRIPTION:

An authorized user of the TS3500 web user interface could exploit a
vulnerability that would give that user a higher level of access than
originally granted.

The IBM TS3500 tape library firmware has been updated to contain a fix
for this vulnerability.


CVEID: CVE-2012-5767
CVSS Base Score: 6.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/80272 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:P)


AFFECTED PRODUCTS AND VERSIONS:

All TS3500 tape libraries with firmware versions lower than C260.


REMEDIATION:

The recommended solution is to apply the fix, which is contained in
firmware version C260 and above.


Fix:

Apply firmware version C260 or later, available from IBM Fix Central
http://www-933.ibm.com/support/fixcentral/


Workaround(s):

None


Mitigation(s):

Only provide remote login access to persons that can be trusted not to
attempt to hack into a higher level of access permissions, or only
provide remote login access to persons with administrator privileges
(where there is no higher level access to hack into).


REFERENCES:

* Complete CVSS Guide
* On-line Calculator V2
* CVE-2012-5767
* X-Force Vulnerability Database http://xforce.iss.net/


RELATED INFORMATION:

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog


ACKNOWLEDGEMENT

The vulnerability was reported to IBM by Narodowe Archiwum Cyfrowe
(National Digital Archives).


======================================================================

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
=========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44          +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
+ 75013 Paris           | email: certsvp@renater.fr     +
=========================================================