Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMADEB1A097B6247BBC5DCAC9CD1A69F530615E1DAF5D8B530153A10CC3DB01C1E
HistoryJun 17, 2018 - 3:28 p.m.

Security Bulletin: Password Disclosure via application tracing in IBM Tivoli Storage Manager for Space Management (CVE-2016-0371)

2018-06-1715:28:40
www.ibm.com
12

EPSS

0

Percentile

12.6%

JSON

Summary

When application tracing is enabled and a password change operation is performed, the Tivoli Storage Manager (IBM Spectrum Protect) password is displayed in plain text in the trace output when using IBM Tivoli Storage Manager for Space Management (IBM Spectrum Protect for Space Management).

Vulnerability Details

CVEID: CVE-2016-0371**
DESCRIPTION:** The Tivoli Storage Manager (TSM) password may be displayed in plain text via application trace output while application tracing is enabled.
CVSS Base Score: 5.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112090 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

The following levels of IBM Tivoli Storage Manager for Space Management (IBM Spectrum Protect for Space Management) are affected:

  • 7.1.0.0 through 7.1.6.2
  • 6.4.0.0 through 6.4.3.3
  • 6.3.0.0 through 6.3.2.5

Remediation/Fixes

Tivoli Storage Manager Client Release

| First
Fixing
VRM Level|Platform|Link to Fix / Fix Availability Target
—|—|—|—
7.1| 7.1.6.3| AIX GPFS

AIX JFS2

Linux x86

Linux z-Series| <ftp://ftp.software.ibm.com/storage/tivoli-storage-management/patches/client/v7r1/AIX/HSMGPFS/v716/&gt;
<ftp://ftp.software.ibm.com/storage/tivoli-storage-management/patches/client/v7r1/AIX/HSMJFS2/v716/&gt;
<ftp://ftp.software.ibm.com/storage/tivoli-storage-management/patches/client/v7r1/Linux/LinuxX86/HSMGPFS/v716/&gt;
<ftp://ftp.software.ibm.com/storage/tivoli-storage-management/patches/client/v7r1/Linux/LinuxzSeries/HSMGPFS/v716/&gt;
6.4| 6.4.3.4| AIX GPFS

AIX JFS2

Linux x86| <ftp://ftp.software.ibm.com/storage/tivoli-storage-management/patches/client/v6r4/AIX/HSMGPFS/v643/&gt;
<ftp://ftp.software.ibm.com/storage/tivoli-storage-management/patches/client/v6r4/AIX/HSMJFS2/v643/&gt;
<ftp://ftp.software.ibm.com/storage/tivoli-storage-management/patches/client/v6r4/Linux/LinuxX86/HSMGPFS/v643/&gt;
6.3| 6.3.2.6| AIX GPFS

AIX JFS2

Linux x86| <ftp://ftp.software.ibm.com/storage/tivoli-storage-management/patches/client/v6r3/AIX/HSMGPFS/v632/&gt;
<ftp://ftp.software.ibm.com/storage/tivoli-storage-management/patches/client/v6r3/AIX/HSMJFS2/v632/&gt;
<ftp://ftp.software.ibm.com/storage/tivoli-storage-management/patches/client/v6r3/Linux/LinuxX86/HSMGPFS/v632/&gt;

Workarounds and Mitigations

Tracing is disabled by default. It is normally enabled only when directed by IBM support to troubleshoot an issue.

To minimize exposure to this vulnerability, disable tracing unless required and delete trace files that are no longer needed.

Related

ibm 2
prion 1
openvas 3
nvd 1
cvelist 1
cve 1
ibm
ibm
Security Bulletin: Password Disclosure via application tracing in IBM Tivoli Storage Manager Client (CVE-2016-0371)
2018-06-17 15:24:35
Security Bulletin: A security vulnerability has been identified in IBM Tivoli Storage Manager that affects multiple IBM Tivoli Storage products (CVE-2016-0371)
2018-06-17 15:30:32
prion
prion
Design/Logic Flaw
2017-02-01 21:59:00
openvas
openvas
IBM TSM Client 'Password' Information Disclosure Vulnerability - Windows
2017-06-02 00:00:00
IBM TSM Client 'Password' Information Disclosure Vulnerability - Mac OS X
2017-06-02 00:00:00
IBM TSM Client 'Password' Information Disclosure Vulnerability - Linux
2017-06-02 00:00:00
nvd
nvd
CVE-2016-0371
2017-02-01 21:59:00
cvelist
cvelist
CVE-2016-0371
2017-02-01 21:00:00
cve
cve
CVE-2016-0371
2017-02-01 21:59:00

EPSS

0

Percentile

12.6%

JSON
Related for ADEB1A097B6247BBC5DCAC9CD1A69F530615E1DAF5D8B530153A10CC3DB01C1E
ibm2prion1openvas3nvd1cvelist1cve1