Security Bulletin: A vulnerability in the Administrative command line client affects IBM Storage Protect Client, IBM Storage Protect for Virtual Environments, and IBM Storage Protect for Space Management (CVE-2023-40368)

Summary

IBM Storage Protect Backup-Archive Client, IBM Storage Protect for Virtual Environments (Data Protection for Hyper-V and Data Protection for VMware), and IBM Storage Protect for Space Management, can be affected by a vulnerability in the Administrative command line interface. The vulnerability can lead to information disclosure, as described by the CVEs in the “Vulnerability Details” section.

Vulnerability Details

CVEID:CVE-2023-40368
**DESCRIPTION:**IBM Storage Protect Client could allow a privileged user to obtain sensitive information from the administrative command line client.
CVSS Base score: 4.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/263456 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading.

The affected product component has been updated to resolve the issue. A new processing option, -CREDENTIALSFILE, has been introduced. See the product documentation (“What’s new”) for more details on this change.

Workarounds and Mitigations

None