IBM TSM ASNODENAME Proxy Authorization Bypass Vulnerability (APAR IT13609)

From this webpage screenshot, the following key information about the vulnerability can be obtained: Vulnerability Name: IT13609: UNAUTHORIZED TIVOLI STORAGE MANAGER CLIENT SESSIONS USING ASNODENAME OPTION MAY RUN AS AUTHORIZED SESSIONS. APAR Status: Closed as program error. Error Description: Tivoli Storage Manager clients can use the ASNODENAME option, which allows the client session to run as a proxy for another client to which they have been granted proxy authority. The Tivoli Storage Manager server fails to adequately check the authorization of client sessions using the ASNODENAME option and runs the session as an authorized session. As a result, unauthorized users with proxy authority can generate and retrieve backup data that they would otherwise not be allowed to write or access. Affected Users: All Tivoli Storage Manager server users. Issue Description: See Security Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21975957 Recommended Fix: Apply fixing level when available. This problem has been fixed in 7.1.4. This problem is currently projected to be fixed in levels 6.3.6. Note that this is subject to change at the discretion of IBM. Please see security bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21975957 for recommendations on other levels. Affected Platforms: AIX, HP-UX, Solaris, and Linux. APAR Information: - APAR number: IT13609 - Reported component name: TSM SERVER - Reported component ID: 5698ISMSV - Reported release: 71L - Status: CLOSED PER PE - HIPER: NoHIPER - Special Attention: NoSpecatt / Xsystem - Submitted date: 2016-02-03 - Closed date: 2016-02-05 - Last modified date: 2016-02-08

Goal Reached Thanks to every supporter — we hit 100%!

IBM TSM ASNODENAME Proxy Authorization Bypass Vulnerability (APAR IT13609)