Security Bulletin: ACLs not backed up on VxFS-HP-UX filesystems by IBM Spectrum Protect Backup-Archive Client (CVE-2019-4236)

Summary

ACL entries associated with a file or directory on a VxFS HP-UX filesystem may not be backed up by the IBM Spectrum Protect (formerly Tivoli Storage Manager) Backup-Archive Client.

Vulnerability Details

CVEID: CVE-2019-4236 DESCRIPTION: A Spectrum Protect client backup or archive operation running for an HP-UX VxFS object is not backing up Access Control List (ACL) entries in certain cases. As a result, restoring or retrieving an object may have incorrect ACL entries.
CVSS Base Score: 5.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/159418&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

This security exposure affects IBM Spectrum Protect (formerly Tivoli Storage Manager) Backup-Archive Client levels 7.1.0.0 through 7.1.8.5 on HP-UX IA64.

Remediation/Fixes

Backup-Archive
Client Release |

First Fixing VRM Level

| APAR | Platform | Link to Fix
—|—|—|—|—
7.1 | 7.1.8.6 | IT28620 | HP-UX IA64
|

<https://www.ibm.com/support/docview.wss?uid=swg24044550&gt;

Workarounds and Mitigations

None