IBM95E1E4B806E9F6B0949DE7D7FF12295FE8B7202D7836A625C4F57D2BD06D2F97Security Bulletin: Potential password exposure in IBM Spectrum Protect (formerly Tivoli Storage Manger) Server (CVE-2017-1339)
0.001 Low
EPSS
Percentile
23.1%
Summary
The IBM Spectrum Protect (formerly Tivoli Storage Manager) Server may use a weak algorithm for encrypting passwords.
Vulnerability Details
CVEID: CVE-2017-1339**
DESCRIPTION:** IBM Spectrum Protect 7.1 and 8.1 (formerly Tivoli Storage Manager) Server uses weak encryption for the password. A database administrator may be able to decrypt the IBM Spectrum protect client or administrator password which can result in information disclosure or a denial of service. IBM X-Force ID: 126247.
CVSS Base Score: 4.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/126247 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
This vulnerability affects the following IBM Spectrum Protect (formerly Tivoli Storage Manager) server levels:
- 8.1.0.0 through 8.1.1.x
- 7.1.0.0 through 7.1.7.x
- 6.3 and below all levels (these releases are EOS)
_Note that 6.4 shipped with 6.3 servers.
_
Remediation/Fixes
IBM Spectrum Protect (Tivoli Storage Manager) Server Release
| Fixing
VRM
Level|**_
Platform_|Link to Fix / Fix Availability Target**
—|—|—|—
8.1| (8.1.2)
8.1.3| AIX
Linux
Windows| Although this issue has been fixed in 8.1.2, it is recommended to upgrade to 8.1.3 of the server using the following link**: **<ftp://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/server/v8r1/>
7.1| 7.1.8| AIX
HP-UX
Linux
Solaris
Windows| <ftp://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/server/v7r1/>
6.3 and below|
|
| 6.3 and below are EOS. Customers on these releases can upgrade the server to a fixed level (8.1.3/8.1.2 or 7.1.8).
Note that 6.4 shipped with 6.3 servers.
Workarounds and Mitigations
None
Related
0.001 Low
EPSS
Percentile
23.1%