Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBME88664C6458F4DD3752E809085F9A41CF6217782118EE9250DF24CD90FA85B71
HistoryJun 17, 2018 - 3:35 p.m.

Security Bulletin: Tivoli Storage Manager (IBM Spectrum Protect) SQL interface vulnerable to unauthorized access (CVE-2016-8940)

2018-06-1715:35:53
www.ibm.com
6

0.001 Low

EPSS

Percentile

41.1%

JSON

Summary

Tivoli Storage Manager (IBM Spectrum Protect) SQL interface is vulnerable to unauthorized access to user credentials and product sensitive information.

Vulnerability Details

CVEID: CVE-2016-8940**
DESCRIPTION:** IBM Tivoli Storage Manager (IBM Spectrum Protect) does not perform sufficient authority checking on SQL queries. As a result, any administrator, regardless of their authority, is able to submit SQL queries that access database tables that are not intended for access or use by administrators. The access of these product specific database tables may allow access to passwords or other sensitive information for the product.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118791 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

This vulnerability affects the following IBM Tivoli Storage Manager (IBM Spectrum Protect) Server levels:

  • 7.1.0.0 through 7.1.7.0
  • 6.3.0.0 through 6.3.6.0
  • 6.2 and 6.1 all levels (these releases are EOS)

Note that this vulnerability has been fixed in 8.1.0.0.

_ _

Remediation/Fixes

Tivoli Storage Manager Server Release

| Fixing
VRM
Level|**_

Platform_|Link to Fix / Fix Availability Target**
—|—|—|—
7.1| 7.1.7.100| AIX
HP-UX
Linux
Solaris
Windows| https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Tivoli&product=ibm/Tivoli/Tivoli+Storage+Manager&release=7.1.7.100&platform=All&function=all

6.3| 6.3.6.100| AIX
HP-UX
Linux
Solaris
Windows| https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Tivoli&product=ibm/Tivoli/Tivoli+Storage+Manager&release=6.3.6.100&platform=All&function=all

6.2 and 6.1|
|
| Customers on these releases can upgrade the server to a fixed level (7.1.7.100 or 6.3.6.100). Contact IBM Support if you have any questions.

Workarounds and Mitigations

None

Related

cve 1
prion 1
cvelist 1
nvd 1
cve
cve
CVE-2016-8940
2017-03-07 17:59:00
prion
prion
Sql injection
2017-03-07 17:59:00
cvelist
cvelist
CVE-2016-8940
2017-03-07 17:00:00
nvd
nvd
CVE-2016-8940
2017-03-07 17:59:00

0.001 Low

EPSS

Percentile

41.1%

JSON
Related for E88664C6458F4DD3752E809085F9A41CF6217782118EE9250DF24CD90FA85B71
cve1prion1cvelist1nvd1