Security Bulletin: IBM Spectrum Protect Plus vulnerability discloses sensitive information due to unencrypted data in transit (CVE-2020-4497)

Summary

IBM Spectrum Protect Plus does not encrypt data transfer between vSnap servers and application agents. This could allow an attacker to view senstive information in transit.

Vulnerability Details

CVEID:CVE-2020-4497
**DESCRIPTION:**IBM Spectrum Protect Plus discloses sensitive information due to unencryhpted data being used in the communication flow between Spectrum Protect Plus vSnap and its agents. An attacker could obtain information using main in the middle techniques.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/182106 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

IBM Spectrum Protect Plus 10.1.13 introduces Transport Encryption feature. With transport encryption, you can protect the data transport between application host and vSnap during backup and restore. Transport encryption feature ensures security to each data path of data between the application host and the vSnap by encrypting and decrypting the data. For more information about Transport Encryption, see <https://www.ibm.com/docs/en/SSNQFQ_10.1.13/spp/r_spp_vSnap_transportencryption.html&gt;

**IBM Spectrum Protect

https://www.ibm.com/support/pages/node/6827871

Workarounds and Mitigations

None