StorageTek Virtual Storage Manager System 6 (VSM6)
 

PLA-Support>Sun Systems>TAPE>Virtual Tape>SN-TP: VSM6
 

In this Document

Goal

Solution

Applies to:

Goal

 Apply security options to prevent vulnerability access

Solution

 There are two areas within the VSM6 VTSS, that could lead to a potential vulnerability. 

1) The VSM_CLI_CLIENT command line interface

2) The web based VSM6 VTSS Maintenance GUI interface.

The VSM6 VTSS platform itself does not have this vulnerability, and to access the VSM_CLI or Maintenance GUI, the user must first be authenticated by the VSM6 VTSS.

VSM_CLI_CLIENT:

Within the command line interface, using the parameter called “connect” to connect to a different VSM6 VTSS platform on the network could potentially expose this vulnerability. 

Using the “connect” command is not typical or necessary and is not taught within VSM6 Service as a means to communicate to a different VTSS.  This parameter is scheduled to be removed in future release 6.2.0.00.000 and higher, currently scheduled for March 2015.

Action: Do NOT use the CLI “connect” command.

VSM6 VTSS MAINTENANCE GUI:

The VSM6 Maintenance GUI exposure can be disabled within web browser settings.  VSM6 VTSS supports the web browsers Firefox and Internet Explorer.

For Firefox

--Enter “about:config” as the web address. 

--Check that the value on the web page displayed for "security.tls.version.min" is set to 1.

--If it is not, double click on the value and set to 1.

For Internet Explorer

--On the Internet Explorer Tools menu, click Internet Options.

--Click on Advanced tab.

--Locate “Use SSL 3.0” and ensure the box is not checked for this capability. 

--Ensure the following boxes are checked: “Use TLS 1.0”, “Use TLS 1.1”, and “Use TLS 1.2”.

This solution has no attachment