IBM Support

Security Bulletin: SQL Server Password Disclosure via IBM Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server and IBM Tivoli Storage FlashCopy Manager for Microsoft SQL Server (CVE-2016-3059)

Security Bulletin


Summary

When using IBM Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server or IBM Tivoli Storage FlashCopy Manager for Microsoft SQL Server, the Microsoft SQL Server's user ID and password is presented in plain text via task completion status details available within the MMC GUI's Task List view.

Vulnerability Details

CVEID: CVE-2016-3059
DESCRIPTION:
IBM Tivoli Storage Manager for Database (SQL) stores the user ID and password of a Microsoft SQL Server is in plain text via the Task List information available within the MMC GUI interface.
CVSS Base Score: 6.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114864 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

The following levels of IBM Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server (IBM Spectrum Protect for Databases) are affected:

  • 6.4.0.0 through 6.4.1.8
  • 6.3.0.0 through 6.3.1.6


The following levels of IBM Tivoli Storage FlashCopy Manager for Microsoft SQL Server (IBM Spectrum Protect Snapshot) are affected:
  • 3.2.0.0 through 3.2.1.8
  • 3.1.0.0 through 3.1.1.6

Remediation/Fixes

Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server Release

First
Fixing
VRM Level
Link to Fix / Fix Availability Target
6.46.4.1.9ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/sql/v641/windows/
6.36.3.1.7ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/sql/v631/windows/

Tivoli Storage FlashCopy Manager for Microsoft SQL Server ReleaseFirst
Fixing
VRM Level
Link to Fix / Fix Availability Target
3.23.2.1.9ftp://public.dhe.ibm.com/storage/tivoli-storage-flashcopymanager/patches/v3r2/windows/v321/
3.13.1.1.7Fixes for release 3.1 are no longer available for download as this release is no longer supported. Customers requiring fixes should upgrade to the latest release which contains the most recent security fixes. Contact IBM Support with any questions.

Workarounds and Mitigations

Set the "Use Microsoft Windows authentication" option instead of the "Use SQL Server authentication" option to allow authentication to the Microsoft SQL Server via a trusted Microsoft Windows connection.

If you can not utilize the "Use Microsoft SQL Server authentication" option, manually clear the Task List from the MMC GUI interface after every operation. To remove a Task List entry, click on the Task and then click on the "Remove" button. You can also remove all completed tasks from the Task List using the "Remove Completed" option.

Get Notified about Future Security Bulletins

References

Off

Change History

25 July 2016 - Original version published
13 April 2018 - Fix 3.1 download information

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{"Product":{"code":"SSTFZR","label":"Tivoli Storage Manager for Databases"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"Data Protection for MS SQL","Platform":[{"code":"PF033","label":"Windows"}],"Version":"6.3;6.4","Edition":"All Editions","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"SS36V9","label":"Tivoli Storage FlashCopy Manager"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"FlashCopy Manager for Microsoft SQL Server","Platform":[{"code":"PF033","label":"Windows"}],"Version":"3.1;3.2","Edition":"All Editions","Line of Business":{"code":"LOB26","label":"Storage"}}]

Document Information

Modified date:
17 June 2018

UID

swg21987333