IBM Support

IT03480: PASSWORD DISCLOSURE VIA FLASHCOPY MANAGER ON WINDOWS, DP FOR EXCHANGE, AND DP FOR SQL CVE-2015-4949, CVE-2015-4949

Fixes are available

Download Information: Version 4.1.2 Tivoli Storage FlashCopy Manager
Download Information: Version 7.1.2 Tivoli Storage Manager for Mail
Download Information: Version 7.1.2 Tivoli Storage Manager for Databases

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • *VULNERABILITY SUMMARY*

The password associated with Tivoli Storage Manager or the
Microsoft SQL DB user is displayed in plain text via application
pop-up messages for failed operations and in application trace
output.

*VULNERABILITY DETAILS*

Tivoli Storage Manager for Databases could allow a local user
to see error messages that contain the plain text passwords of
users.

When using one of the following applications:

- Tivoli Storage Manager for Databases: Data Protection for
 Microsoft SQL Server

- Tivoli Storage Manager for Mail: Data Protection for Microsoft
Exchange Server

- Tivoli Storage FlashCopy Manager on Windows

pop-up error messages associated with an exception condition
generated during a failed backup, restore, or query operation
will display the Tivoli Storage Manager password and/or the
Microsoft SQL DB user's password in plain text.

Also, when application tracing is enabled, these passwords are
displayed in plain text in the trace output.

In all cases, the passwords displayed are passwords that the
logged in user executing the operation would already know or
have access to via their login credentials.

Local fix

  • 



Problem summary


    

  • ****************************************************************
USERS AFFECTED
.
In the context of pop-up error messages:
.
- Tivoli Storage Manager for Databases: Data Protection for
Microsoft SQL Server 7.1
.
- Tivoli Storage Manager for Mail: Data Protection for Microsoft
Exchange Server 7.1
.
- Tivoli Storage FlashCopy Manager MMC Snapin and Base System
Services 4.1 (for File System backups)
.
- Tivoli Storage FlashCopy Manager for Microsoft SQL Server 4.1
.
- Tivoli Storage FlashCopy Manager for Microsoft Exchange Server
4.1
.
.
.
In the context of application tracing:
.
- Tivoli Storage Manager for Databases: Data Protection for
Microsoft SQL Server 5.5, 6.3, 6.4, and 7.1
.



- Tivoli Storage Manager for Mail: Data Protection for Microsoft
Exchange Server 5.5, 6.1, 6.3, 6.4, and 7.1
.
- Tivoli Storage FlashCopy Manager MMC Snapin and Base System
Services 2.1, 2.2, 3.1, 3.2, and 4.1
.
- Tivoli Storage FlashCopy Manager for Microsoft SQL Server 2.1,
2.2, 3.1, 3.2, and 4.1
.

- Tivoli Storage FlashCopy Manager for Microsoft Exchange Server
2.1, 2.2, 3.1, 3.2, and 4.1

****************************************************************
PROBLEM DESCRIPTION
.
See ERROR DESCRIPTION
.


For additional details, refer to the security bulleting
published here: http://www.ibm.com/support/docview.wss?
uid=swg21963630
****************************************************************
RECOMENDATION:
.
This fix is projected to be abailable in the following
deliveries:
.
- Tivoli Storage Manager for Databases: Data Protection for
Microsoft SQL Server 5.5.6.1, 6.3.1.5, 6.4.1.7, and 7.1.2
.
- Tivoli Storage Manager for Mail: Data Protection for Microsoft
Exchange Server 5.5.1.1, 6.3.1.5, 6.4.1.7, and 7.1.2
.
- Tivoli Storage FlashCopy Manager: FlashCopy Manager for
Windows 3.1.1.5, 3.2.1.7, and 4.1.2
Note: The FlashCopy Manager on Windows package includes the fix
for all of the following components:
.
- Tivoli Storage FlashCopy Manager MMC Snapin and Base System
Services
.
- Tivoli Storage FlashCopy Manager for Microsoft SQL Server
.
- Tivoli Storage FlashCopy Manager for Microsoft Exchange Server
.
****************************************************************

    



Problem conclusion


    

  • .
The software has been updated to mask passwords in pop-up
messages and trace output.

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IT03480
    • 

  • Reported component name
    TDP FOR SQL WIN
    • 

  • Reported component ID
    5698DPSAP
    • 

  • Reported release
    71W
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2014-08-01
    • 

  • Closed date
    2014-10-09
    • 

  • Last modified date
    2015-10-01
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    TDP FOR SQL WIN
    • 

  • Fixed component ID
    5698DPSAP
    • 



Applicable component levels


    

  • R71W  PSY
       UP
    • 








      
              
                            

              

              [{"Line of Business":{"code":"LOB26","label":"Storage"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSTFZR","label":"Tivoli Storage Manager for Databases"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.1"}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            25 September 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback