Author Topic: SECURITY: ZLib vulnerability in CMOD  (Read 325 times)

Justin Derrick

  • IBM Content Manager OnDemand Consultant
  • Administrator
  • Hero Member
  • *****
  • Posts: 2145
  • CMOD Guru for hire...
    • View Profile
    • Tenacious Consulting
SECURITY: ZLib vulnerability in CMOD
« on: September 28, 2022, 01:37:19 PM »
IBM released a security bulletin for an old vulnerability from 2018 that affects current versions of CMOD:

https://www.ibm.com/support/pages/node/6824729

In short, it would allow an attacker that ALREADY has a very high level of access to your system to cause CMOD to crash.

Upgrading to the latest fixpack is always a good idea, this is just another reason to stay current on patches.

Ask your questions below, and I'll ask the developers to pop by and respond.  Thanks.

-JD.
IBM CMOD Professional Services: http://TenaciousConsulting.com
Call:  +1-866-533-7742  or  eMail:  jd@justinderrick.com
IBM CMOD Wiki:  https://CMOD.wiki/
FREE IBM CMOD Education & Webinars:  https://CMOD.Training/

Interests: #AIX #Linux #Multiplatforms #DB2 #TSM #SP #Performance #Security #Audits #Customizing #Availability #HA #DR

Justin Derrick

  • IBM Content Manager OnDemand Consultant
  • Administrator
  • Hero Member
  • *****
  • Posts: 2145
  • CMOD Guru for hire...
    • View Profile
    • Tenacious Consulting
Re: SECURITY: ZLib vulnerability in CMOD
« Reply #1 on: October 05, 2022, 10:20:07 AM »
Just a brief update.  I've exchanged eMails with IBM, and in order to exploit this bug, an attacker would need access to modify data in the cache or secondary storage (Tivoli Storage Manager / Spectrum Protect / Cloud Storage Buckets / Filesystems).  This is a pretty extreme level of access, meaning that any attacker looking to exploit this bug would already be able to do far more damage than simply crash CMOD instances.

In short, the level of risk associated with this alert is extremely low.

-JD.
IBM CMOD Professional Services: http://TenaciousConsulting.com
Call:  +1-866-533-7742  or  eMail:  jd@justinderrick.com
IBM CMOD Wiki:  https://CMOD.wiki/
FREE IBM CMOD Education & Webinars:  https://CMOD.Training/

Interests: #AIX #Linux #Multiplatforms #DB2 #TSM #SP #Performance #Security #Audits #Customizing #Availability #HA #DR