IBM Support

Security Bulletin: Password Disclosure via FlashCopy Manager on Windows, Data Protection for Exchange, and Data Protection for SQL CVE-2015-4949, CVE 2015-6557

Security Bulletin


Summary

The password associated with Tivoli Storage Manager or the Microsoft SQL DB user is displayed in plain text via application pop-up messages for failed operations and in application trace output.

Vulnerability Details


CVEID: CVE-2015-4949
DESCRIPTION:
IBM Tivoli Storage Manager for Databases could allow a local user to see error messages that contain the plain text passwords of users.

When using one of the following applications:

  • Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server
  • Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server
  • Tivoli Storage FlashCopy Manager on Windows

pop-up error messages associated with an exception condition generated during a failed backup, restore, or query operation will display the Tivoli Storage Manager password and/or the Microsoft SQL DB user's password in plain text.

CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104953 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N)


CVEID: CVE 2015-6557
DESCRIP
TION:
When application tracing is enabled, these passwords are displayed in plain text in the trace output.

In all cases, the passwords displayed are passwords that the logged in user executing the operation would already know or have access to via their login credentials.

CVSS Base Score: 5.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/106385 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions


In the context of pop-up error messages:
- Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server 7.1
- Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server 7.1
- Tivoli Storage FlashCopy Manager MMC Snapin and Base System Services 4.1 (for File System backups)
- Tivoli Storage FlashCopy Manager for Microsoft SQL Server 4.1
- Tivoli Storage FlashCopy Manager for Microsoft Exchange Server 4.1

In the context of application tracing:
- Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server 5.5, 6.3, 6.4, and 7.1
- Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server 5.5, 6.1, 6.3, 6.4, and 7.1
- Tivoli Storage FlashCopy Manager MMC Snapin and Base System Services 3.1, 3.2, and 4.1
- Tivoli Storage FlashCopy Manager for Microsoft SQL Server 3.1, 3.2, and 4.1
- Tivoli Storage FlashCopy Manager for Microsoft Exchange Server 3.1, 3.2, and 4.1

Remediation/Fixes


Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server

Affected V.RFixing VRMFAPARRemediation/First Fix
7.17.1.2IT03480Note that 7.1.2 is no longer available for download. You can download 7.1.4 or higher to obtain the fix:ftp://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/tivoli-data-protection/ntsql/v714/
6.46.4.1.7IT03480Note that 6.4.1.7 is no longer available for download. You can download 6.4.1.9 to obtain the fix:ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/sql/v641/windows/
6.36.3.1.5IT03480Note that 6.3.1.5 is no longer available for download. You can download 6.3.1.7 to obtain the fix:ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/sql/v631/windows/
5.55.5.6.1IT03480Note that 5.5.6.1 is no longer available for download. You can download 5.5.6.2 to obtain the fix:ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/sql/v556/


Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server
Affected V.RFixing VRMFAPARRemediation/First Fix
7.17.1.2IT03480Note that 7.1.2 is no longer available for download. You can download 7.1.4 or higher to obtain the fix:ftp://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/tivoli-data-protection/ntexch/v714/
6.46.4.1.7IT03480Note that 6.4.1.7 is no longer available for download. You can download 6.4.1.9 to obtain the fix:ftp://public.dhe.ibm.com//storage/tivoli-storage-management/patches/tivoli-data-protection/ntexch/v641/windows/
6.36.3.1.5IT03480Note that 6.3.1.5 is no longer available for download. You can download 6.3.1.6 to obtain the fix:ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/ntexch/v631/windows/
6.1NoneIT03480This release reached end of support on April 30, 2015. Support extensions are not available for this release. IBM recommends upgrading to a fixed, supported version/release/platform of the product.
5.55.5.1.1IT03480ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/ntexch/v551/


Tivoli Storage FlashCopy Manager: FlashCopy Manager for Windows
    Includes fix for the following components:
    - Tivoli Storage FlashCopy Manager MMC Snapin and Base System Services
    - Tivoli Storage FlashCopy Manager for Microsoft SQL Server
    - Tivoli Storage FlashCopy Manager for Microsoft Exchange Server
Affected V.RFixing VRMFAPARRemediation/First Fix
4.14.1.2IT03480Note that 4.1.2 is no longer available for download. You can download 4.1.4 or higher to obtain the fix:
ftp://public.dhe.ibm.com/storage/tivoli-storage-flashcopymanager/maintenance/v4r1/windows/v414/
3.23.2.1.7IT03480Note that 3.2.1.7 is no longer available for download. You can download 3.2.1.9 to obtain the fix:ftp://public.dhe.ibm.com/storage/tivoli-storage-flashcopymanager/patches/v3r2/windows/v321/
3.13.1.1.5IT03480Fixes for release 3.1 are no longer available for download as this release is no longer supported. Customers requiring fixes should upgrade to the latest release which contains the most recent security fixes. Contact IBM Support with any questions.
2.2NoneIT03480This release reached end of support on April 30, 2015. Support extensions are not available for this release. IBM recommends upgrading to a fixed, supported version/release/platform of the product.
2.1NoneIT03480This release reached end of support on September 30, 2015. Support extensions are not available for this release. IBM recommends upgrading to a fixed, supported version/release/platform of the product.

Workarounds and Mitigations

In the context of the pop-up error messages (which only affects the 7.1 and 4.1 releases of the affected software), use one of the following options to mitigate the problem:

  • As pop-up messages are only displayed when using the GUI interface. The command line interface (CLI) is not affected and could be used as a workaround to this problem.
  • Use Windows authentication instead of SQL Server¬†Authentication.
  • Use "generate" as a value for "passwordaccess" option and make sure that a valid password has been stored in the registry.

In the context of application tracing, , use one of the following options to mitigate the problem:
  • Do not to enable application tracing.
  • Use Windows authentication instead of SQL Server¬†Authentication.
  • Use "generate" as a value for "passwordaccess" option and make sure that a valid password has been stored in the registry.

Get Notified about Future Security Bulletins

References

Off

Change History

13 April 2018: Fixed 3.1 download information
6 October 2015: Added the link to the Data Protection for Exchange 5.5.1.1 fix.
1 October 2015: Added CVE 2015-6557 to the document title.
30 September 2015: Added CVE# CVE 2015-6557. Note: The description was already included in this document but the CVE information was not provided. Added rows for the 2.1 and 2.2 releases of FlashCopy Manager.
28 September 2015: In the Data Protection for Microsoft Exchange table, the row for the 6.1 release was modified to reflect "N/A" for the "Fixing Level" and the following note was added: "This release reached end of support on April 30, 2015. Support extensions are not available for this release. IBM recommends upgrading to a fixed, supported version/release/platform of the product."
02 September 2015: Added link to the FlashCopy Manager on Windows 3.2.1.7 fix.
18 August 2015: Added link to the Data Protection for Microsoft SQL Server 5.5.6.1 fix.
10 August 2015: Original version published.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{"Product":{"code":"SSTFZR","label":"Tivoli Storage Manager for Databases"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"Data Protection for MS SQL","Platform":[{"code":"PF033","label":"Windows"}],"Version":"5.5;6.3;6.4;7.1","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"SSTG2D","label":"Tivoli Storage Manager for Mail"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"Data Protection for MS Exchange","Platform":[{"code":"","label":""}],"Version":"5.5;6.1;6.3;6.4;7.1","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"SS36V9","label":"Tivoli Storage FlashCopy Manager"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"FlashCopy Manager MMC Snapin and Base System Services","Platform":[{"code":"PF033","label":"Windows"}],"Version":"3.1;3.2;4.1","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"SS36V9","label":"Tivoli Storage FlashCopy Manager"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"FlashCopy Manager for Microsoft Exchange","Platform":[{"code":"PF033","label":"Windows"}],"Version":"2.1;2.2;3.1;3.2;4.1","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"SS36V9","label":"Tivoli Storage FlashCopy Manager"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"FlashCopy Manager for Microsoft SQL Server","Platform":[{"code":"PF033","label":"Windows"}],"Version":"2.1;2.2;3.1;3.2;4.1","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]

Document Information

Modified date:
17 June 2018

UID

swg21963630