IBM97FB19B1B5BE2650C58A6564551284727AD22C7B29A911237CC0F228C73C37EDSecurity Bulletin: Unauthorized Access Vulnerability affects IBM Tivoli Storage Manager Client (CVE-2016-2894)
EPSS
Percentile
5.1%
Summary
When performing an archive and retrieve operation using a symbolic link, the IBM Tivoli Storage Manager (IBM Spectrum Protect) Client could allow a local user to access files they are otherwise not allowed to access.
Vulnerability Details
CVEID: CVE-2016-2894**
DESCRIPTION:** IBM Tivoli Storage Manager could allow a local user to obtain sensitive information from other user’s files provided that user has performed an archive and retrieve operation, and has been done so using a symbolic link.
CVSS Base Score: 2.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113066 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
The following levels of IBM Tivoli Storage Manager (IBM Spectrum Protect) Client are affected:
- 7.1.0.0 through 7.1.4.x
- 6.4.0.0 through 6.4.3.2
- 6.3.0.0 through 6.3.2.5
- 6.2, 6.1, and 5.5 all levels (these releases are EOS)
Remediation/Fixes
Tivoli Storage Manager Client Release
| First
Fixing
VRM Level|APAR|Platform|Link to Fix / Fix Availability Target
—|—|—|—|—
7.1| 7.1.6| IT13686| AIX
HP-UX
Linux
Solaris| http://www.ibm.com/support/docview.wss?uid=swg24042350
6.4| 6.4.3.3| IT13686| AIX
HP-UX
Linux
Solaris| http://www.ibm.com/support/docview.wss?uid=swg24041144
6.3| 6.3.2.6| IT13686| AIX
HP-UX
Linux
Solaris| http://www.ibm.com/support/docview.wss?uid=swg24037930
6.2, 6.1, and 5.5| None| None| AIX
HP-UX
Linux
Solaris| Upgrade to a fixed level (7.1.6, 6.4.3.3, or 6.3.2.6).
Workarounds and Mitigations
None
Related
