In association with heise online

03 April 2007, 12:29

Update fixes bug in IBM's Tivoli Provisioning Manager

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

IBM has released a Fix Pack to fix security vulnerabilities in its Tivoli Provisioning Manager for OS deployment, using which an attacker could crash a server or possibly inject arbitrary code. The software is used to equip networked computers with an operating system over the network via Pre-boot Execution Environment. The security vulnerabilities affect the web interface for administering the server.

The vulnerabilities were reported by security services provider iDefense. Memory violations can occur when processing prepared form data in multi-part HTTP-POST queries, causing the server to crash or changing memory on the heap. An attacker does not need to be logged onto the system, but merely needs to be able to send packets to the server, which by default listens on ports 8080 and 443.

By default the server runs with system privileges, so that malicious code could obtain full access to the system. iDefense notes that the server can also be started with limited privileges, and they suggest that administrators should set it up to do so. The risk can also be reduced by restricting access to the server using a firewall.

IBM has provided updates for the affected versions ( and earlier) on its website. Fix Pack 2 also fixes other more cosmetic bugs, and adds support for other operating systems.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit