Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMC5ABD2E304867E0D1067E706944DD427857D8DDC9374D1C07CB6FA9860F94F69
HistoryJun 17, 2018 - 3:27 p.m.

Security Bulletin: Password Disclosure via application tracing in IBM Tivoli Storage Manager for Space Management (CVE-2016-5927)

2018-06-1715:27:51
www.ibm.com
4

EPSS

0

Percentile

5.1%

JSON

Summary

IBM Tivoli Storage Manager for Space Management (IBM Spectrum Protect for Space Management) may display the Tivoli Storage Manager password when application tracing is enabled.

Vulnerability Details

CVEID: CVE-2016-5927**
DESCRIPTION:** IBM Tivoli Storage Manager for Space Management displays the encrypted Tivoli Storage Manager password in application trace output if application tracing is enabled for the dsmsetpw command using the trace flag GENERAL, SM, SMVERBOSE, or SERVICE.
CVSS Base Score: 4.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/115812 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

The following levels of IBM Tivoli Storage Manager for Space Management (IBM Spectrum Protect for Space Management) are affected:

  • 7.1.0.0 through 7.1.4.x
  • 6.4.0.0 through 6.4.3.2
  • 6.3.0.0 through 6.3.2.5

Remediation/Fixes

Tivoli Storage Manager for Space Management Release

| First Fixing VRM Level|APAR Number|Platform|Link to Fix / Fix Availability Target
—|—|—|—|—
7.1| 7.1.6| IT15203| AIX
Linux| http://www.ibm.com/support/docview.wss?&uid=swg24042243
6.4| 6.4.3.3| IT15203| AIX GPFS
AIX JFS2
Linux x86| <ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/client/v6r4/AIX/HSMGPFS/v643&gt;
<ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/client/v6r4/AIX/HSMJFS2/v643&gt;
<ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/client/v6r4/Linux/LinuxX86/HSMGPFS/v643&gt;
6.3| 6.3.2.6| IT15203| AIX GPFS
AIX JFS2
Linux x86| <ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/client/v6r3/AIX/HSMGPFS/v632&gt;
<ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/client/v6r3/AIX/HSMJFS2/v632&gt;
<ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/client/v6r3/Linux/LinuxX86/HSMGPFS/v632&gt;

Workarounds and Mitigations

With default trace levels (GENERAL, SM, SMVERBOSE, SERVICE), the password is displayed.
To minimize exposure to this vulnerability, do not use tracing in the dsm.opt file and prevent tracing of command “dsmsetpw” unless instructed to do so by IBM. Delete existing trace files that are no longer needed.

Related

cvelist 1
prion 1
nvd 1
cve 1
cvelist
cvelist
CVE-2016-5927
2016-09-12 10:00:00
prion
prion
Input validation
2016-09-12 10:59:00
nvd
nvd
CVE-2016-5927
2016-09-12 10:59:02
cve
cve
CVE-2016-5927
2016-09-12 10:59:02

EPSS

0

Percentile

5.1%

JSON
Related for C5ABD2E304867E0D1067E706944DD427857D8DDC9374D1C07CB6FA9860F94F69
cvelist1prion1nvd1cve1