APAR status
Closed as program error.
Error description
CVE-2020-4854 was fixed in version 10.1.7, but only in the IBM Spectrum Protect Plus vSnap code. When the vSnap component is upgraded to 10.1.7, it deletes the static credentials. For new deployments of IBM Spectrum Protect Plus at version 10.1.7, the onboard vSnap does not exist, so this vulnerability is not present. For existing deployments which are upgraded to version 10.1.7 from an earlier version, the onboard vSnap does not get upgraded automatically. IBM Spectrum Protect Plus Versions Affected: IBM Spectrum Protect Plus 10.1.7 | MDVPARTL 10.1.7 5737SPLUS | Initial Impact: Medium Additional Keywords: SPP, SPPLUS, TS004852393, cve, SPP-14672
Local fix
Documentation exists on how to disable or migrate an onboard vSnap : https://www.ibm.com/support/knowledgecenter/en/SSNQFQ_10.1.7/spp /t_spp_migrating_vsnap_data_to_standalone_vsnap.html To fix the problem: 1. make sure you manually upgrade the onboard vSnap on the SPP host to 10.1.7. OR 2. If you are not using the onboard vSnap: a. Uninstall the vSnap 10.1.6 or earlier version: sudo yum remove vsnap b. Then delete the static password: sudo passwd -d vsnap It's important to uninstall it before deleting the password. If the vSnap component still remains at an earlier level, the static password might get re-enabled during next boot.
Problem summary
**************************************************************** * USERS AFFECTED: * * IBM Spectrum Protect Plus level 10.1.7. * **************************************************************** * PROBLEM DESCRIPTION: * * See Error Description. * * For more information, refer to the security bulletin * * published here: * * https://www.ibm.com/support/pages/node/6367823 * * * **************************************************************** * RECOMMENDATION: * * Apply the fixing level when available. This problem was * * fixed in IBM Spectrum Protect Plus 10.1.8. Note that this is * * subject to change at the discretion of IBM. * ****************************************************************
Problem conclusion
A code fix has been implemented to disable the internal vSnap and delete the static credentials during upgrade of the IBM Spectrum Protect Plus virtual appliance.
Temporary fix
Comments
APAR Information
APAR number
IT35746
Reported component name
SP PLUS
Reported component ID
5737SPLUS
Reported release
A17
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-02-01
Closed date
2021-04-07
Last modified date
2021-05-04
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
SP PLUS
Fixed component ID
5737SPLUS
Applicable component levels
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSNQFQ","label":"IBM Spectrum Protect Plus"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"A17","Line of Business":{"code":"LOB26","label":"Storage"}}]
Document Information
Modified date:
16 May 2023