Multiple security vulnerabilities exist in Tivoli Storage Manager (IBM Spectrum Protect) Operations Center as described under Vulnerability Details.
CVEID: CVE-2016-6043**
DESCRIPTION:** Tivoli Storage Manager Operations Center could allow a local user to take over a previously logged in user due to session expiration not being enforced.
CVSS Base Score: 7.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/117134 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2016-6044**
DESCRIPTION:** IBM Tivoli Storage Manager Operations Center could allow an authenticated attacker to enable or disable the application’s REST API, which may let the attacker violate security policy.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/117145 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2016-6045**
DESCRIPTION:** IBM Tivoli Storage Manager Operations Center is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/117146 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID: CVE-2016-6046**
DESCRIPTION:** IBM Tivoli Storage Manager Operations Center is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/117147 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
The following versions of Tivoli Storage Manager (IBM Spectrum Protect) Operations Center are affected:
Product
| VRMF|Remediation/First Fix
—|—|—
Operations Center| 7.1| 7.1.7.100 - ALL Operating Systems
Operations Center| 6.4| 6.4.2.500 - ALL Operating Systems (see NOTEbelow)
NOTE:
For Operations Center that is running on IBM® AIX®, you must first install Operations Center 6.4.2.000 and then upgrade to Operations Center 6.4.2.500
You should verify applying this fix does not cause any compatibility issues
None