Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMF466482805BBBC38388EBF32CC03A2F15DB21185929CE9DFD28D184E396FDA09
HistoryJun 17, 2018 - 3:26 p.m.

Security Bulletin: SQL Server Password Disclosure via IBM Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server and IBM Tivoli Storage FlashCopy Manager for Microsoft SQL Server (CVE-2016-3059)

2018-06-1715:26:47
www.ibm.com
14

0.001 Low

EPSS

Percentile

20.6%

JSON

Summary

When using IBM Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server or IBM Tivoli Storage FlashCopy Manager for Microsoft SQL Server, the Microsoft SQL Server’s user ID and password is presented in plain text via task completion status details available within the MMC GUI’s Task List view.

Vulnerability Details

CVEID: CVE-2016-3059**
DESCRIPTION:** IBM Tivoli Storage Manager for Database (SQL) stores the user ID and password of a Microsoft SQL Server is in plain text via the Task List information available within the MMC GUI interface.
CVSS Base Score: 6.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114864 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

The following levels of IBM Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server (IBM Spectrum Protect for Databases) are affected:

  • 6.4.0.0 through 6.4.1.8
  • 6.3.0.0 through 6.3.1.6

The following levels of IBM Tivoli Storage FlashCopy Manager for Microsoft SQL Server (IBM Spectrum Protect Snapshot) are affected:

  • 3.2.0.0 through 3.2.1.8
  • 3.1.0.0 through 3.1.1.6

Remediation/Fixes

Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server Release

| First
Fixing
VRM Level|Link to Fix / Fix Availability Target
—|—|—
6.4| 6.4.1.9| <ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/sql/v641/windows/&gt;
6.3| 6.3.1.7| ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/sql/v631/windows/

Tivoli Storage FlashCopy Manager for Microsoft SQL Server Release|First
Fixing
VRM Level|Link to Fix / Fix Availability Target
—|—|—
3.2| 3.2.1.9| ftp://public.dhe.ibm.com/storage/tivoli-storage-flashcopymanager/patches/v3r2/windows/v321/
3.1| 3.1.1.7| Fixes for release 3.1 are no longer available for download as this release is no longer supported. Customers requiring fixes should upgrade to the latest release which contains the most recent security fixes. Contact IBM Support with any questions.

Workarounds and Mitigations

Set the “Use Microsoft Windows authentication” option instead of the “Use SQL Server authentication” option to allow authentication to the Microsoft SQL Server via a trusted Microsoft Windows connection.

If you can not utilize the “Use Microsoft SQL Server authentication” option, manually clear the Task List from the MMC GUI interface after every operation. To remove a Task List entry, click on the Task and then click on the “Remove” button. You can also remove all completed tasks from the Task List using the “Remove Completed” option.

Related

prion 1
cve 1
cvelist 1
nvd 1
prion
prion
Sql injection
2016-08-08 01:59:00
cve
cve
CVE-2016-3059
2016-08-08 01:59:15
cvelist
cvelist
CVE-2016-3059
2016-08-08 01:00:00
nvd
nvd
CVE-2016-3059
2016-08-08 01:59:15

0.001 Low

EPSS

Percentile

20.6%

JSON
Related for F466482805BBBC38388EBF32CC03A2F15DB21185929CE9DFD28D184E396FDA09
prion1cve1cvelist1nvd1