Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM215DE119910946DFB875932346934FCE1408F774CFAB0C9EEC2642D9A0B8F4DF
HistoryApr 02, 2019 - 3:15 p.m.

Security Bulletin: Password disclosure via trace file affects IBM Spectrum Protect Backup-Archive Client and IBM Spectrum Protect for Virtual Environments (CVE-2018-1882)

2019-04-0215:15:02
www.ibm.com
7

0.001 Low

EPSS

Percentile

24.0%

JSON

Summary

When tracing is enabled, the IBM Spectrum Protect Backup-Archive Client trace file may display the password in plain text. This affects the IBM Spectrum Protect (formerly Tivoli Storage Manager) Backup-Archive Client and IBM Spectrum Protect for Virtual Environments.

Vulnerability Details

CVEID: CVE-2018-1882 DESCRIPTION: In a certain atypical IBM Spectrum Protect configurations, the node password could be displayed in plain text in the IBM Spectrum Protect client trace file.
CVSS Base Score: 4.7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/151968&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

This security exposure affects the following products and levels:

  • IBM Spectrum Protect (formerly Tivoli Storage Manager) Backup-Archive Client levels:
    - 8.1.0.0 through 8.1.6.1
    - 7.1.0.0 through 7.1.8.4

  • IBM Spectrum Protect for Virtual Environments (formerly Tivoli Storage Manager for Virtual Environments): Data Protection for VMware levels:
    - 8.1.0.0 through 8.1.6.1
    - 7.1.0.0 through 7.1 8.4

  • IBM Spectrum Protect for Virtual Environments (formerly Tivoli Storage for Virtual Environments): Data Protection for Hyper-V levels:
    - 8.1.0.0 through 8.1.6.1
    - 7.1.0.0 through 7.1.8.0

Remediation/Fixes

** Backup-Archive Client Release** |

First Fixing VRM Level

| APAR | Platform | Link to Fix
—|—|—|—|—
8.1 | 8.1.7 | IT26637 | AIX
Linux
Macintosh
Solaris
Windows |

<https://www.ibm.com/support/docview.wss?uid=ibm10872618&gt;

7.1 | 7.1.8.5 | IT26637 | AIX
HP-UX
Linux
Macintosh
Solaris
Windows |

<http://www.ibm.com/support/docview.wss?uid=swg24044550&gt;

.

Data Protection for VMware Release | First Fixing
VRM Level | APAR | Platform | Link to Fix
—|—|—|—|—
8.1 | 8.1.7 | IT28132 | Linux
Windows |

<https://www.ibm.com/support/docview.wss?uid=ibm10744187&gt;

7.1 | 7.1.8.5 | IT28132 | Linux
Windows |

Data Protection for VMware 7.1 customers can upgrade to Data Protection for VMware 7.1.8.5 or apply the above 7.1.8.5 client fix.
Data Protection for VMware 7.1.8.5 link:
<https://www.ibm.com/support/docview.wss?uid=swg24044553&gt;
Client 7.1.8.5 link:
<http://www.ibm.com/support/docview.wss?uid=swg24044550&gt;

.

Data Protection for Hyper-V Release |

First Fixing__** VRM Level**

| APAR | Platform | Link to Fix
—|—|—|—|—
8.1 | 8.1.7 | IT28133 | Windows | <https://www.ibm.com/support/docview.wss?uid=ibm10744187&gt;
7.1 | | | Windows |

Apply the above 7.1.8.5 client fix using the following link:
<http://www.ibm.com/support/docview.wss?uid=swg24044550&gt;

.

Workarounds and Mitigations

To minimize exposure to this vulnerability, do not use tracing in the options file (dsm.opt) unless instructed to do so by IBM and delete existing trace files that are no longer needed.

Related

cvelist 1
cve 1
nvd 1
ibm 1
prion 1
cvelist
cvelist
CVE-2018-1882
2019-04-02 00:00:00
cve
cve
CVE-2018-1882
2019-04-08 15:29:00
nvd
nvd
CVE-2018-1882
2019-04-08 15:29:00
ibm
ibm
Security Bulletin: Password disclosure via trace file affects IBM Spectrum Protect for Space Management (CVE-2018-1882)
2019-04-02 15:15:02
prion
prion
Design/Logic Flaw
2019-04-08 15:29:00

0.001 Low

EPSS

Percentile

24.0%

JSON
Related for 215DE119910946DFB875932346934FCE1408F774CFAB0C9EEC2642D9A0B8F4DF
cvelist1cve1nvd1ibm1prion1