IBM Support

Security Bulletin: Password Exposure in IBM Spectrum Protect Backup-Archive Client and IBM Spectrum Protect for Virtual Environments on Windows platforms (CVE-2018-1787)

Security Bulletin


Summary

IBM Spectrum Protect (formerly Tivoli Storage Manager) Backup-Archive Client and IBM Spectrum Protect for Virtual Environments on Windows are affected by a password exposure vulnerability caused by insecure file permissions.

Vulnerability Details

CVEID: CVE-2018-1787
DESCRIPTION: IBM Spectrum Protect is affected by a password exposure vulnerability caused by insecure file permissions.
CVSS Base Score: 5.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/148872 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
  

Affected Products and Versions

This security exposure affects the following products and levels:

  • IBM Spectrum Protect (formerly Tivoli Storage Manager) Backup-Archive Client levels:
    - 8.1.2.0 through 8.1.6.0
    - 7.1.8.0 through 7.1.8.4
     
  • IBM Spectrum Protect for Virtual Environments (formerly Tivoli Storage Manager for Virtual Environments): Data Protection for VMware levels:
    - 8.1.2.0 through 8.1.6.0
    - 7.1.8.0 through 7.1 8.4
     
  • IBM Spectrum Protect for Virtual Environments (formerly Tivoli Storage for Virtual Environments): Data Protection for Hyper-V levels:
    -  8.1.2.0 through 8.1.6.0
    -  7.1.8.0
     

Remediation/Fixes

 Backup-Archive Client Release
First Fixing VRM Level
APAR Platform Link to Fix
       8.1 8.1.6.1 IT26060 Windows

http://www.ibm.com/support/docview.wss?uid=swg24043653

      7.1 7.1.8.5 IT26060 Windows

http://www.ibm.com/support/docview.wss?uid=swg24044550

       
Data Protection for VMware Release First Fixing
VRM Level
APAR Platform Link to Fix
    8.1 8.1.6.1 IT26644 Windows

http://www.ibm.com/support/docview.wss?uid=ibm10739257

    7.1 7.1.8.5 IT26644 Windows

Data Protection for VMware 7.1 customers can upgrade to Data Protection for VMware 7.1.8.5 or apply the above 7.1.8.5 client fix.
Data Protection for VMware 7.1.8.5 link:

https://www.ibm.com/support/docview.wss?uid=swg24044553
Client 7.1.8.5 link:
http://www.ibm.com/support/docview.wss?uid=swg24044550

       
Data Protection for Hyper-V Release
First Fixing  VRM Level
APAR Platform Link to Fix
    8.1 8.1.6.1 IT26645 Windows http://www.ibm.com/support/docview.wss?uid=ibm10739263
    7.1 Windows

Apply the above 7.1.8.5 client fix using the following link:
http://www.ibm.com/support/docview.wss?uid=swg24044550

Workarounds and Mitigations

The clustersharedfolder option can be used on Windows to specify the directory location on an NTFS formatted volumes in which to store an encrypted password file for cluster backup which will contain the correct privileges.

Get Notified about Future Security Bulletins

References

Off

Change History

2 April 2019 - Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Internal Use Only

Advisory 13053 Product Records 119627, 120782. and 120783.

Document Location

Worldwide

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSEQVQ","label":"IBM Spectrum Protect"},"Component":"Backup-Archive Client","Platform":[{"code":"PF033","label":"Windows"}],"Version":"8.1;7.1","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSERB6","label":"IBM Spectrum Protect for Virtual Environments"},"Component":"","Platform":[{"code":"PF033","label":"Windows"}],"Version":"8.1;7.1","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSGSG7","label":"Tivoli Storage Manager"},"Component":"Backup-Archive Client","Platform":[{"code":"PF033","label":"Windows"}],"Version":"7.1","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SS8TDQ","label":"Tivoli Storage Manager for Virtual Environments"},"Component":"","Platform":[{"code":"PF033","label":"Windows"}],"Version":"7.1","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]

Document Information

Modified date:
02 April 2019

UID

ibm10869602