Security Bulletin: Cross-site request forgery vulnerability in IBM Tivoli Storage Manager for Virtual Environments: Data Protection for VMware and IBM Tivoli Storage FlashCopy Manager for VMware (CVE-2016-6033)

Summary

IBM Tivoli Storage Manager for Virtual Environments: Data Protection for VMware (IBM Spectrum Protect™ for Virtual Environments) and IBM Tivoli Storage FlashCopy Manager for VMware (IBM Spectrum Protect™ Snapshot) is vulnerable to cross-site request forgery. An attacker could execute malicious and unauthorized actions transmitted from a user that the website trusts.

Vulnerability Details

CVEID: CVE-2016-6033**
DESCRIPTION:** IBM Tivoli Storage Manager for Virtual Environments (VMware) is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
CVSS Base Score: 8.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116892 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Affected Products and Versions

The following products and versions are affected.

• Tivoli Storage Manager for Virtual Environments: Data Protection for VMware (IBM Spectrum Protect for Virtual Environments):
  - 7.1.0.0 through 7.1.6.3

• Tivoli Storage FlashCopy Manager for VMware (IBM Spectrum Protect Snapshot):
  - 4.1.0.0 through 4.1.6.0

Remediation/Fixes

Tivoli Storage Manager for VE: Data Protection for VMware Release

| First Fixing VRMF Level|Client Platform|Link to Fix / Fix Availability Target
—|—|—|—
7.1| 7.1.6.4| Linux
Windows| http://www.ibm.com/support/docview.wss?uid=swg24042520
**_Tivoli Storage

Workarounds and Mitigations

None