Security Bulletin: Potential password exposure in IBM Spectrum Protect (formerly Tivoli Storage Manger) Server (CVE-2017-1339)

Security Bulletin

Summary

The IBM Spectrum Protect (formerly Tivoli Storage Manager) Server may use a weak algorithm for encrypting passwords.

Vulnerability Details

CVEID: CVE-2017-1339
DESCRIPTION: IBM Spectrum Protect 7.1 and 8.1 (formerly Tivoli Storage Manager) Server uses weak encryption for the password. A database administrator may be able to decrypt the IBM Spectrum protect client or administrator password which can result in information disclosure or a denial of service. IBM X-Force ID: 126247.
CVSS Base Score: 4.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/126247 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

This vulnerability affects the following IBM Spectrum Protect (formerly Tivoli Storage Manager) server levels:

8.1.0.0 through 8.1.1.x
7.1.0.0 through 7.1.7.x
6.3 and below all levels (these releases are EOS)
Note that 6.4 shipped with 6.3 servers.

Remediation/Fixes

*IBM Spectrum Protect (Tivoli Storage Manager) Server Release*	Fixing VRM Level	*Platform*	*Link to Fix / Fix Availability Target*
8.1	(8.1.2) 8.1.3	AIX Linux Windows	Although this issue has been fixed in 8.1.2, it is recommended to upgrade to 8.1.3 of the server using the following link: ftp://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/server/v8r1/
7.1	7.1.8	AIX HP-UX Linux Solaris Windows	ftp://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/server/v7r1/
6.3 and below			6.3 and below are EOS. Customers on these releases can upgrade the server to a fixed level (8.1.3/8.1.2 or 7.1.8). Note that 6.4 shipped with 6.3 servers.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Complete CVSS v3 Guide
On-line Calculator v3

Off

Change History

02 October 2017 - Original version published
10 October 2017 - Updated CVSS Vector and Score

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSEQVQ","label":"IBM Spectrum Protect"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"Server","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.1;8.1","Edition":"All Editions","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"SSEQVQ","label":"IBM Spectrum Protect"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"Server","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.1;8.1","Edition":"All Editions","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"SSGSG7","label":"Tivoli Storage Manager"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Server","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"6.3;6.4;7.1","Edition":"All Editions","Line of Business":{"code":"LOB26","label":"Storage"}}]

Tips

Security Bulletin: Potential password exposure in IBM Spectrum Protect (formerly Tivoli Storage Manger) Server (CVE-2017-1339)