Security Bulletin: Information Disclosure and Denial of Service Vulnerabilities in IBM Spectrum Protect Backup-Archive Client (CVE-2022-22478, CVE-2022-22474)

Summary

The IBM Spectrum Protect back-up archive client is vulnerable to information disclosure as user credentials are stored in memory in plain text. The back-up archive client is also vulnerable to a denial of service due to certain read operations on TCP/IP sockets.

Vulnerability Details

CVEID:CVE-2022-22478
**DESCRIPTION:**IBM Spectrum Protect Client stores user credentials in plain clear text which can be read by a local user.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225886 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2022-22474
**DESCRIPTION:**IBM Spectrum Protect dsmcad, dsmc, and dsmcsvc processes incorrectly handle certain read operations on TCP/IP sockets. This can result in a denial of service for IBM Spectrum Protect client operations.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225348 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

IBM Spectrum Protect Backup-Archive Client A****ffected Versions|Fixing Level|Platform|**Link to Fix and Instructions
**
—|—|—|—
8.1.0.0-8.1.14.0| 8.1.15| AIX
HP-UX
Linux
Macintosh
Solaris
Windows|

<https://www.ibm.com/support/pages/node/6593819&gt;

NOTE: APAR IT40671 was created for CVE-2022-22474.

Workarounds and Mitigations

None