Security Bulletin
Summary
The password associated with Tivoli Storage Manager or the Microsoft SQL DB user is displayed in plain text via application pop-up messages for failed operations and in application trace output.
Vulnerability Details
CVEID: CVE-2015-4949
DESCRIPTION: IBM Tivoli Storage Manager for Databases could allow a local user to see error messages that contain the plain text passwords of users.
When using one of the following applications:
- Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server
- Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server
- Tivoli Storage FlashCopy Manager on Windows
pop-up error messages associated with an exception condition generated during a failed backup, restore, or query operation will display the Tivoli Storage Manager password and/or the Microsoft SQL DB user's password in plain text.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104953 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N)
CVEID: CVE 2015-6557
DESCRIPTION:
When application tracing is enabled, these passwords are displayed in plain text in the trace output.
In all cases, the passwords displayed are passwords that the logged in user executing the operation would already know or have access to via their login credentials.
CVSS Base Score: 5.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/106385 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
In the context of pop-up error messages:
- Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server 7.1
- Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server 7.1
- Tivoli Storage FlashCopy Manager MMC Snapin and Base System Services 4.1 (for File System backups)
- Tivoli Storage FlashCopy Manager for Microsoft SQL Server 4.1
- Tivoli Storage FlashCopy Manager for Microsoft Exchange Server 4.1
In the context of application tracing:
- Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server 5.5, 6.3, 6.4, and 7.1
- Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server 5.5, 6.1, 6.3, 6.4, and 7.1
- Tivoli Storage FlashCopy Manager MMC Snapin and Base System Services 3.1, 3.2, and 4.1
- Tivoli Storage FlashCopy Manager for Microsoft SQL Server 3.1, 3.2, and 4.1
- Tivoli Storage FlashCopy Manager for Microsoft Exchange Server 3.1, 3.2, and 4.1
Remediation/Fixes
Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server
Affected V.R | Fixing VRMF | APAR | Remediation/First Fix |
7.1 | 7.1.2 | IT03480 | Note that 7.1.2 is no longer available for download. You can download 7.1.4 or higher to obtain the fix:ftp://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/tivoli-data-protection/ntsql/v714/ |
6.4 | 6.4.1.7 | IT03480 | Note that 6.4.1.7 is no longer available for download. You can download 6.4.1.9 to obtain the fix:ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/sql/v641/windows/ |
6.3 | 6.3.1.5 | IT03480 | Note that 6.3.1.5 is no longer available for download. You can download 6.3.1.7 to obtain the fix:ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/sql/v631/windows/ |
5.5 | 5.5.6.1 | IT03480 | Note that 5.5.6.1 is no longer available for download. You can download 5.5.6.2 to obtain the fix:ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/sql/v556/ |
Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server
Tivoli Storage FlashCopy Manager: FlashCopy Manager for Windows
- Includes fix for the following components:
- Tivoli Storage FlashCopy Manager MMC Snapin and Base System Services
- Tivoli Storage FlashCopy Manager for Microsoft SQL Server
- Tivoli Storage FlashCopy Manager for Microsoft Exchange Server
Affected V.R | Fixing VRMF | APAR | Remediation/First Fix |
4.1 | 4.1.2 | IT03480 | Note that 4.1.2 is no longer available for download. You can download 4.1.4 or higher to obtain the fix: ftp://public.dhe.ibm.com/storage/tivoli-storage-flashcopymanager/maintenance/v4r1/windows/v414/ |
3.2 | 3.2.1.7 | IT03480 | Note that 3.2.1.7 is no longer available for download. You can download 3.2.1.9 to obtain the fix:ftp://public.dhe.ibm.com/storage/tivoli-storage-flashcopymanager/patches/v3r2/windows/v321/ |
3.1 | 3.1.1.5 | IT03480 | Fixes for release 3.1 are no longer available for download as this release is no longer supported. Customers requiring fixes should upgrade to the latest release which contains the most recent security fixes. Contact IBM Support with any questions. |
2.2 | None | IT03480 | This release reached end of support on April 30, 2015. Support extensions are not available for this release. IBM recommends upgrading to a fixed, supported version/release/platform of the product. |
2.1 | None | IT03480 | This release reached end of support on September 30, 2015. Support extensions are not available for this release. IBM recommends upgrading to a fixed, supported version/release/platform of the product. |
Workarounds and Mitigations
In the context of the pop-up error messages (which only affects the 7.1 and 4.1 releases of the affected software), use one of the following options to mitigate the problem:
- As pop-up messages are only displayed when using the GUI interface. The command line interface (CLI) is not affected and could be used as a workaround to this problem.
- Use Windows authentication instead of SQL Server Authentication.
- Use "generate" as a value for "passwordaccess" option and make sure that a valid password has been stored in the registry.
In the context of application tracing, , use one of the following options to mitigate the problem:
- Do not to enable application tracing.
- Use Windows authentication instead of SQL Server Authentication.
- Use "generate" as a value for "passwordaccess" option and make sure that a valid password has been stored in the registry.
Get Notified about Future Security Bulletins
References
Change History
13 April 2018: Fixed 3.1 download information
6 October 2015: Added the link to the Data Protection for Exchange 5.5.1.1 fix.
1 October 2015: Added CVE 2015-6557 to the document title.
30 September 2015: Added CVE# CVE 2015-6557. Note: The description was already included in this document but the CVE information was not provided. Added rows for the 2.1 and 2.2 releases of FlashCopy Manager.
28 September 2015: In the Data Protection for Microsoft Exchange table, the row for the 6.1 release was modified to reflect "N/A" for the "Fixing Level" and the following note was added: "This release reached end of support on April 30, 2015. Support extensions are not available for this release. IBM recommends upgrading to a fixed, supported version/release/platform of the product."
02 September 2015: Added link to the FlashCopy Manager on Windows 3.2.1.7 fix.
18 August 2015: Added link to the Data Protection for Microsoft SQL Server 5.5.6.1 fix.
10 August 2015: Original version published.
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
swg21963630