IBM Support

Security Bulletin: Additional Password Disclosure via application tracing in FlashCopy Manager on Windows, Data Protection for Exchange, and Data Protection for SQL CVE-2015-7404

Security Bulletin


Summary

The Tivoli Storage Manager (TSM) password is displayed in plain text via application trace output when the "Change TSM Password" (changetsmpassword) command is used and application tracing is enabled.

Vulnerability Details


CVEID: CVE-2015-7404
DESCRIPTION:


When using one of the following applications:

  • Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server (IBM Spectrum Protect for Databases)
  • Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server (IBM Spectrum Protect for Mail)
  • Tivoli Storage FlashCopy Manager on Windows (IBM Spectrum Protect Snapshot)

the Tivoli Storage Manager (TSM) password is displayed in plain text via application trace output when the "Change TSM Password" (changetsmpassword) command is used and application tracing is enabled.

CVSS Base Score: 5.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107109 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions


  • Tivoli Storage FlashCopy Manager on Windows 2.1, 2.2, 3.1, 3.2, and 4.1
  • Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server 5.5, 6.1, 6.3, 6.4, and 7.1
    • Note: This component does not have a 6.2 release.
  • Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server 5.5, 6.3, 6.4, and 7.1
    • Note: This component does not have a 6.1 or 6.2 release.

Remediation/Fixes


Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server

Affected V.R
Fixing VRMF
APAR
Remediation/First Fix
7.1
7.1.4
IT11349
ftp://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/tivoli-data-protection/ntsql/v714
6.4
6.4.1.8
IT11349
ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/sql/v641/windows/
6.3
6.3.1.6
IT11349
ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/sql/v631/windows/
5.5
5.5.6.2
IT11349
ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/sql/v556/


Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server
Affected V.R
Fixing VRMF
APAR
Remediation/First Fix
7.1
7.1.4
IT11349
ftp://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/tivoli-data-protection/ntexch/v714
6.4
6.4.1.8
IT11349
ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/ntexch/v641/windows
6.3
6.3.1.6
IT11349
ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/ntexch/v631/windows/
6.1
None
IT11349
This release reached end of support on April 30, 2015. Support extensions are not available for this release. IBM recommends upgrading to a fixed, supported version/release/platform of the product.
5.5
5.5.1.1
IT11349
ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/ntexch/v551/



Tivoli Storage FlashCopy Manager for Windows
    Includes fix for the following components:
    - Tivoli Storage FlashCopy Manager MMC Snapin and Base System Services
    - Tivoli Storage FlashCopy Manager for Microsoft SQL Server
    - Tivoli Storage FlashCopy Manager for Microsoft Exchange Server
Affected V.R
Fixing VRMF
APAR
Remediation/First Fix
4.1
4.1.4
IT11349
ftp://public.dhe.ibm.com/storage/tivoli-storage-flashcopymanager/maintenance/v4r1/windows/v414
3.2
3.2.1.8
IT11349
Note that 3.2.1.8 is no longer available for download. You can download 3.2.1.9 to obtain the fix:ftp://public.dhe.ibm.com/storage/tivoli-storage-flashcopymanager/patches/v3r2/windows/v321/
3.1
3.1.1.6
IT11349
Fixes for release 3.1 are no longer available for download as this release is no longer supported. Customers requiring fixes should upgrade to the latest release which contains the most recent security fixes. Contact IBM Support with any questions.
2.2
None
IT11349
This release reached end of support on September 30, 2015. Support extensions are not available for this release. IBM recommends upgrading to a fixed, supported version/release/platform of the product.
2.1
None
IT11349
This release reached end of support on April 30, 2015. Support extensions are not available for this release. IBM recommends upgrading to a fixed, supported version/release/platform of the product.

Workarounds and Mitigations

  • Do not change the TSM password while application tracing is enabled.
  • Delete any existing application trace output files to prevent possible exposure of passwords that may be contained within them.

Get Notified about Future Security Bulletins

References

Off

Change History

13 April 2018 - Fix 3.2 and 3.1 download information
28 March 2016: The FlashCopy Manager on WIndows 3.1.1.6 fix has been delivered. The target delivery date was replaced with a link to the fix download location.
22 March 2016: The Data Protection for Microsoft Exchange Server 6.3.1.6 fix has been delivered. The target delivery date was replaced with a link to the fix download location.
7 March 2016: The Data Protection for Microsoft SQL Server 5.5.6.2 fix has been delivered. The target delivery date was replaced with a link to the fix download location.
23 February 2016: The Tivoli Storage FlashCopy Manager on Windows 3.2.1.8 fix has been delivered. The target delivery date was replaced with a link to the fix download location.
8 February 2016: The Data Protection for Microsoft Exchange 6.4.1.8 fix has been delivered. The target delivery date was replaced with a link to the fix download location.
11 December 2015: The Tivoli Storage FlashCopy Manager for Windows 4.1.4 fix has been delivered. The target delivery date was replaced with a link to the fix download location.
11 December 2015: The Data Protection for Microsoft Exchange Server 7.1.4 fix has been delivered. The target delivery date was replaced with a link to the fix download location.
11 December 2015: The Data Protection for Microsoft SQL Server 7.1.4 fix has been delivered. The target delivery date was replaced with a link to the fix download location.
7 December 2015: The Data Protection for Microsoft SQL Server 6.3.1.6 fix has been delivered. The target delivery date was replaced with a link to the fix download location.
30 November 2015: The Data Protection for Microsoft SQL Server 6.4.1.8 fix has been delivered. The target delivery date was replaced with a link to the fix download location.
6 November 2015: Original version published.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSTFZR","label":"Tivoli Storage Manager for Databases"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"Data Protection for MS SQL","Platform":[{"code":"PF033","label":"Windows"}],"Version":"5.5;6.3;6.4;7.1","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"SSTG2D","label":"Tivoli Storage Manager for Mail"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Data Protection for MS Exchange","Platform":[{"code":"PF033","label":"Windows"}],"Version":"5.5;6.1;6.3;6.4;7.1","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"SS36V9","label":"Tivoli Storage FlashCopy Manager"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":" ","Platform":[{"code":"PF033","label":"Windows"}],"Version":"2.1;2.2;3.1;3.2;4.1","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]

Document Information

Modified date:
17 June 2018

UID

swg21969514