IBM Support

IT04252: CONFIDENTIAL DATA EXPOSURE WHEN RESTORING MICROSOFT EXCHANGE MAILBOXES WHICH HAVE THE SAME ALIAS DEFINED CVE-2015-4950

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • *VULNERABILITY SUMMARY*
    
    In environments with duplicated mailbox aliases, Tivoli
    Storage Manager FastBack for Microsoft Exchange may open
    and restore the wrong mailbox.
    
    *VULNERABILITY DETAILS*
    
    Tivoli Storage Manager FastBack for Microsoft Exchange could
    allow a local user with elevated privileges to obtain sensitive
    information by manipulating mailbox names that share the same
    alias.
    
    For example:
    
    Mailbox Display Name Alias
    mailbox1             sales
    mailbox2             sales
    
    When two mailboxes have the same alias, users may encounter the
    following problems when using affected software:
    
    -the Mailbox Restore Browser interface may populate mailboxes
    with the folders and messages from a different mailbox than the
    one intended
    
    - restoring a mailbox via the CLI interface, using the alias
    instead of the mailbox display name, may restore a different
    mailbox than the one intended
    
    - the mailbox history may not correctly represent the mailboxes
    that share the same alias
    
    - the wrong mailbox may be opened when using the "Open
    Mailbox" function. Subsequently, folders and messages
    could be restored to that incorrect mailbox.
    

Local fix

  • Use the Exchange Management Console or Powershell commands to
    rename the duplicated mailbox alias to a unique value.
    

Problem summary

  • ****************************************************************
    USERS AFFECTED
    .
    All users of :
    .
    - Tivoli Storage Manager FastBack for Microsoft Exchange Server
    6.1
    .
    who have more than one mailbox display name using the same
    alias.
    ****************************************************************
    PROBLEM DESCRIPTION
    .
    See ERROR DESCRIPTION
    .
    For additional details, refer to the security bulleting
    published here: http://www.ibm.com/support/docview.wss?
    uid=swg21963629
    ****************************************************************
    RECOMENDATION:
    .
    This fix is available in Tivoli Storage Manager FastBack for
    Microsoft Exchange 6.1.5.4.
    ****************************************************************
    

Problem conclusion

  • Tivoli Storage Manager FastBack for Microsoft Exchange has been
    updated to correctly handle restore mailboxes have duplicated
    aliases.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT04252

  • Reported component name

    TDP EXCHANGE WI

  • Reported component ID

    5698DPXAP

  • Reported release

    71W

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2014-09-07

  • Closed date

    2014-09-07

  • Last modified date

    2015-08-11

  • APAR is sysrouted FROM one or more of the following:

    IT04251

  • APAR is sysrouted TO one or more of the following:

Modules/Macros

  • FEBCC
    

Fix information

  • Fixed component name

    TDP EXCHANGE WI

  • Fixed component ID

    5698DPXAP

Applicable component levels

  • R71W PSY

       UP

  • R64W PSY

       UP

  • R63W PSY

       UP



Document information

More support for: Tivoli Storage Manager for Mail

Software version: 71W

Reference #: IT04252

Modified date: 11 August 2015