Fixes are available
APAR status
Closed as program error.
Error description
*VULNERABILITY SUMMARY* The password associated with Tivoli Storage Manager or the Microsoft SQL DB user is displayed in plain text via application pop-up messages for failed operations and in application trace output. *VULNERABILITY DETAILS* Tivoli Storage Manager for Databases could allow a local user to see error messages that contain the plain text passwords of users. When using one of the following applications: - Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server - Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server - Tivoli Storage FlashCopy Manager on Windows pop-up error messages associated with an exception condition generated during a failed backup, restore, or query operation will display the Tivoli Storage Manager password and/or the Microsoft SQL DB user's password in plain text. Also, when application tracing is enabled, these passwords are displayed in plain text in the trace output. In all cases, the passwords displayed are passwords that the logged in user executing the operation would already know or have access to via their login credentials.
Local fix
Problem summary
**************************************************************** USERS AFFECTED . In the context of pop-up error messages: . - Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server 7.1 . - Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server 7.1 . - Tivoli Storage FlashCopy Manager MMC Snapin and Base System Services 4.1 (for File System backups) . - Tivoli Storage FlashCopy Manager for Microsoft SQL Server 4.1 . - Tivoli Storage FlashCopy Manager for Microsoft Exchange Server 4.1 . . . In the context of application tracing: . - Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server 5.5, 6.3, 6.4, and 7.1 . - Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server 5.5, 6.1, 6.3, 6.4, and 7.1 . - Tivoli Storage FlashCopy Manager MMC Snapin and Base System Services 2.1, 2.2, 3.1, 3.2, and 4.1 . - Tivoli Storage FlashCopy Manager for Microsoft SQL Server 2.1, 2.2, 3.1, 3.2, and 4.1 . - Tivoli Storage FlashCopy Manager for Microsoft Exchange Server 2.1, 2.2, 3.1, 3.2, and 4.1 **************************************************************** PROBLEM DESCRIPTION . See ERROR DESCRIPTION . For additional details, refer to the security bulleting published here: http://www.ibm.com/support/docview.wss? uid=swg21963630 **************************************************************** RECOMENDATION: . This fix is projected to be abailable in the following deliveries: . - Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server 5.5.6.1, 6.3.1.5, 6.4.1.7, and 7.1.2 . - Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server 5.5.1.1, 6.3.1.5, 6.4.1.7, and 7.1.2 . - Tivoli Storage FlashCopy Manager: FlashCopy Manager for Windows 3.1.1.5, 3.2.1.7, and 4.1.2 Note: The FlashCopy Manager on Windows package includes the fix for all of the following components: . - Tivoli Storage FlashCopy Manager MMC Snapin and Base System Services . - Tivoli Storage FlashCopy Manager for Microsoft SQL Server . - Tivoli Storage FlashCopy Manager for Microsoft Exchange Server . ****************************************************************
Problem conclusion
. The software has been updated to mask passwords in pop-up messages and trace output.
Temporary fix
Comments
APAR Information
APAR number
IT03480
Reported component name
TDP FOR SQL WIN
Reported component ID
5698DPSAP
Reported release
71W
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2014-08-01
Closed date
2014-10-09
Last modified date
2015-10-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
TDP FOR SQL WIN
Fixed component ID
5698DPSAP
Applicable component levels
R71W PSY
UP
[{"Line of Business":{"code":"LOB26","label":"Storage"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSTFZR","label":"Tivoli Storage Manager for Databases"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.1"}]
Document Information
Modified date:
25 September 2021