IT35746: INCOMPLETE FIX FOR CVE-2020-4854

APAR status

• Closed as program error.

Error description

• CVE-2020-4854 was fixed in version 10.1.7, but only in the
  IBM Spectrum Protect Plus vSnap code.
  When the vSnap component is upgraded to 10.1.7, it deletes the
  static credentials.
  For new deployments of IBM Spectrum Protect Plus at version
  10.1.7, the onboard vSnap does not exist, so this vulnerability
  is not present.
  For existing deployments which are upgraded to version 10.1.7
  from an earlier version, the onboard vSnap does not get
  upgraded automatically.
  
  IBM Spectrum Protect Plus Versions Affected:
  IBM Spectrum Protect Plus 10.1.7
  
  | MDVPARTL 10.1.7 5737SPLUS |
  
  Initial Impact: Medium
  
  Additional Keywords: SPP, SPPLUS, TS004852393, cve, SPP-14672
  

Local fix

• Documentation exists on how to disable or migrate an onboard
  vSnap :
  
  https://www.ibm.com/support/knowledgecenter/en/SSNQFQ_10.1.7/spp
  /t_spp_migrating_vsnap_data_to_standalone_vsnap.html
  To fix the problem:
  1. make sure you manually upgrade the onboard vSnap on the SPP
     host to 10.1.7.
  OR
  2. If you are not using the onboard vSnap:
     a. Uninstall the vSnap 10.1.6 or earlier version:
           sudo yum remove vsnap
     b. Then delete the static password: sudo passwd -d vsnap
        It's important to uninstall it before deleting the
        password. If the vSnap component still remains at an
        earlier level, the static password might get re-enabled
        during next boot.
  

Problem summary

• ****************************************************************
  * USERS AFFECTED:                                              *
  * IBM Spectrum Protect Plus level 10.1.7.                      *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  * See Error Description.                                       *
  * For more information, refer to the security bulletin         *
  * published here:                                              *
  * https://www.ibm.com/support/pages/node/6367823               *
  *                                                              *
  ****************************************************************
  * RECOMMENDATION:                                              *
  * Apply the fixing level when available. This problem was      *
  * fixed in IBM Spectrum Protect Plus 10.1.8. Note that this is *
  * subject to change at the discretion of IBM.                  *
  ****************************************************************
  

Problem conclusion

•  A code fix has been implemented to disable the internal vSnap
  and delete the static credentials during upgrade of the IBM
  Spectrum Protect Plus virtual appliance.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  SP PLUS

• Fixed component ID

  5737SPLUS

Applicable component levels