IT36303: LOCAL USER IS ABLE TO GET AND DECRYPT BOTH IBM SPECTRUM CONTROL USER AND DB2 ADMINISTRATIVE PASSWORDS

Fixes are available

IBM Spectrum Control 5.4.4 (August 2021)
IBM Spectrum Control 5.4.5.2 (December 2021)

APAR status

Closed as program error.

Error description

Configuration files weak permissions allow to get DB2
administrative username and password.
The vulnerable files are device/conf/tsnmdbparms.properties,
alert/conf/tsnmdbparms.properties,
web/conf/tsnmdbparms.properties
The log file with all the encrypted passwords exposure is the
service/changepasswords_noX.log

Local fix

Problem summary

****************************************************************
* USERS AFFECTED:                                              *
* IBM Spectrum Control users                                   *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* The IBM Spectrum Control configuration files have            *
* weak permissions, allowing potential access to               *
* DB2 administrative username and password.                    *
*                                                              *
* The vulnerable files are:                                    *
* /device/conf/tsnmdbparms.properties                          *
* /alert/conf/tsnmdbparms.properties                           *
* /web/conf/tsnmdbparms.properties                             *
*                                                              *
* The log file containing encrypted passwords exposure is:     *
* /service/changepasswords_noX.log                             *
****************************************************************
* RECOMMENDATION:                                              *
* Apply fix maintenance when available                         *
****************************************************************

Problem conclusion

The fix for this APAR is targeted for the following release:

IBM Spectrum Control 5.4.4   [ 5.4.4-IBM-SC ]

( release target 3Q 2021 / August )

http://www.ibm.com/support/docview.wss?&uid=swg21320822

The target dates for future releases do not represent a formal
commitment by IBM. The dates are subject to change without
notice.

Temporary fix

Comments

APAR Information

APAR number
IT36303
Reported component name
TPC ADVANCED
Reported component ID
5608TPCA0
Reported release
541
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-03-22
Closed date
2021-09-14
Last modified date
2021-09-14

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
TPC ADVANCED
Fixed component ID
5608TPCA0

Applicable component levels

[{"Business Unit":{"code":"BU029","label":"Software"},"Product":{"code":"SSNECY","label":"Tivoli Storage Productivity Center Advanced"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"541"}]

Document Information

Modified date:
25 June 2022

Tips

IT36303: LOCAL USER IS ABLE TO GET AND DECRYPT BOTH IBM SPECTRUM CONTROL USER AND DB2 ADMINISTRATIVE PASSWORDS

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

Document Information

Share your feedback

Need support?