Security Bulletin: Information Disclosure and Denial of Service Vulnerabilities in the IBM Spectrum Protect Backup-Archive Client may affect IBM Spectrum Protect for Space Management (CVE-2022-22478, CVE-2022-22474)

Summary

The IBM Spectrum Protect back-up archive client is vulnerable to information disclosure and denial of service vulnerabilities which may affect IBM Spectrum Protect for Space Management.

Vulnerability Details

CVEID:CVE-2022-22478
**DESCRIPTION:**IBM Spectrum Protect Client 8.1.0.0 through 8.1.14.0 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 225886.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225886 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2022-22474
**DESCRIPTION:**IBM Spectrum Protect 8.1.0.0 through 8.1.14.0 dsmcad, dsmc, and dsmcsvc processes incorrectly handle certain read operations on TCP/IP sockets. This can result in a denial of service for IBM Spectrum Protect client operations. IBM X-Force ID: 225348.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225348 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

_IBM Spectrum Protect for
Space Management Affected Versions
_|Fixing
Level|Platform|_Link to Fix and Instructions
_
—|—|—|—
8.1.0-8.1.14
| 8.1.15| AIX
Linux| <https://www.ibm.com/support/pages/node/316077&gt;

Workarounds and Mitigations

None