Security Bulletin
Summary
The Tivoli Storage Manager (TSM) password is displayed in plain text via application trace output when the "Change TSM Password" (changetsmpassword) command is used and application tracing is enabled.
Vulnerability Details
CVEID: CVE-2015-7404
DESCRIPTION:
When using one of the following applications:
- Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server (IBM Spectrum Protect for Databases)
- Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server (IBM Spectrum Protect for Mail)
- Tivoli Storage FlashCopy Manager on Windows (IBM Spectrum Protect Snapshot)
the Tivoli Storage Manager (TSM) password is displayed in plain text via application trace output when the "Change TSM Password" (changetsmpassword) command is used and application tracing is enabled.
CVSS Base Score: 5.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107109 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
- Tivoli Storage FlashCopy Manager on Windows 2.1, 2.2, 3.1, 3.2, and 4.1
- Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server 5.5, 6.1, 6.3, 6.4, and 7.1
- Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server 5.5, 6.3, 6.4, and 7.1
- Note: This component does not have a 6.2 release.
- Note: This component does not have a 6.1 or 6.2 release.
Remediation/Fixes
Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server
Affected V.R | Fixing VRMF | APAR | Remediation/First Fix |
7.1 | 7.1.4 | IT11349 | ftp://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/tivoli-data-protection/ntsql/v714 |
6.4 | 6.4.1.8 | IT11349 | ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/sql/v641/windows/ |
6.3 | 6.3.1.6 | IT11349 | ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/sql/v631/windows/ |
5.5 | 5.5.6.2 | IT11349 | ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/sql/v556/ |
Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server
Affected V.R | Fixing VRMF | APAR | Remediation/First Fix |
7.1 | 7.1.4 | IT11349 | ftp://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/tivoli-data-protection/ntexch/v714 |
6.4 | 6.4.1.8 | IT11349 | ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/ntexch/v641/windows |
6.3 | 6.3.1.6 | IT11349 | ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/ntexch/v631/windows/ |
6.1 | None | IT11349 | This release reached end of support on April 30, 2015. Support extensions are not available for this release. IBM recommends upgrading to a fixed, supported version/release/platform of the product. |
5.5 | 5.5.1.1 | IT11349 | ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/ntexch/v551/ |
Tivoli Storage FlashCopy Manager for Windows
- Includes fix for the following components:
- Tivoli Storage FlashCopy Manager MMC Snapin and Base System Services
- Tivoli Storage FlashCopy Manager for Microsoft SQL Server
- Tivoli Storage FlashCopy Manager for Microsoft Exchange Server
Affected V.R | Fixing VRMF | APAR | Remediation/First Fix |
4.1 | 4.1.4 | IT11349 | ftp://public.dhe.ibm.com/storage/tivoli-storage-flashcopymanager/maintenance/v4r1/windows/v414 |
3.2 | 3.2.1.8 | IT11349 | Note that 3.2.1.8 is no longer available for download. You can download 3.2.1.9 to obtain the fix:ftp://public.dhe.ibm.com/storage/tivoli-storage-flashcopymanager/patches/v3r2/windows/v321/ |
3.1 | 3.1.1.6 | IT11349 | Fixes for release 3.1 are no longer available for download as this release is no longer supported. Customers requiring fixes should upgrade to the latest release which contains the most recent security fixes. Contact IBM Support with any questions. |
2.2 | None | IT11349 | This release reached end of support on September 30, 2015. Support extensions are not available for this release. IBM recommends upgrading to a fixed, supported version/release/platform of the product. |
2.1 | None | IT11349 | This release reached end of support on April 30, 2015. Support extensions are not available for this release. IBM recommends upgrading to a fixed, supported version/release/platform of the product. |
Workarounds and Mitigations
- Do not change the TSM password while application tracing is enabled.
- Delete any existing application trace output files to prevent possible exposure of passwords that may be contained within them.
Get Notified about Future Security Bulletins
References
Change History
13 April 2018 - Fix 3.2 and 3.1 download information
28 March 2016: The FlashCopy Manager on WIndows 3.1.1.6 fix has been delivered. The target delivery date was replaced with a link to the fix download location.
22 March 2016: The Data Protection for Microsoft Exchange Server 6.3.1.6 fix has been delivered. The target delivery date was replaced with a link to the fix download location.
7 March 2016: The Data Protection for Microsoft SQL Server 5.5.6.2 fix has been delivered. The target delivery date was replaced with a link to the fix download location.
23 February 2016: The Tivoli Storage FlashCopy Manager on Windows 3.2.1.8 fix has been delivered. The target delivery date was replaced with a link to the fix download location.
8 February 2016: The Data Protection for Microsoft Exchange 6.4.1.8 fix has been delivered. The target delivery date was replaced with a link to the fix download location.
11 December 2015: The Tivoli Storage FlashCopy Manager for Windows 4.1.4 fix has been delivered. The target delivery date was replaced with a link to the fix download location.
11 December 2015: The Data Protection for Microsoft Exchange Server 7.1.4 fix has been delivered. The target delivery date was replaced with a link to the fix download location.
11 December 2015: The Data Protection for Microsoft SQL Server 7.1.4 fix has been delivered. The target delivery date was replaced with a link to the fix download location.
7 December 2015: The Data Protection for Microsoft SQL Server 6.3.1.6 fix has been delivered. The target delivery date was replaced with a link to the fix download location.
30 November 2015: The Data Protection for Microsoft SQL Server 6.4.1.8 fix has been delivered. The target delivery date was replaced with a link to the fix download location.
6 November 2015: Original version published.
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
swg21969514