IBM Support

Security Bulletin: Additional Password Disclosure via application tracing in FlashCopy Manager on Windows, Data Protection for Exchange, and Data Protection for SQL CVE-2015-7404

Security Bulletin


Summary

The Tivoli Storage Manager (TSM) password is displayed in plain text via application trace output when the "Change TSM Password" (changetsmpassword) command is used and application tracing is enabled.

Vulnerability Details


CVEID: CVE-2015-7404
DESCRIPTION:


When using one of the following applications:

  • Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server (IBM Spectrum Protect for Databases)
  • Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server (IBM Spectrum Protect for Mail)
  • Tivoli Storage FlashCopy Manager on Windows (IBM Spectrum Protect Snapshot)

the Tivoli Storage Manager (TSM) password is displayed in plain text via application trace output when the "Change TSM Password" (changetsmpassword) command is used and application tracing is enabled.

CVSS Base Score: 5.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107109 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

  • Tivoli Storage FlashCopy Manager on Windows 2.1, 2.2, 3.1, 3.2, and 4.1
  • Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server 5.5, 6.1, 6.3, 6.4, and 7.1
      Note: This component does not have a 6.2 release.
  • Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server 5.5, 6.3, 6.4, and 7.1
      Note: This component does not have a 6.1 or 6.2 release.

Remediation/Fixes

Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server



Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server
Affected V.R
Fixing VRMF
APAR
Remediation/First Fix
7.1
7.1.4
IT11349
ftp://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/tivoli-data-protection/ntexch/v714
6.4
6.4.1.8
IT11349
ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/ntexch/v641/windows
6.3
6.3.1.6
IT11349
ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/ntexch/v631/windows/
6.1
None
IT11349
This release reached end of support on April 30, 2015. Support extensions are not available for this release. IBM recommends upgrading to a fixed, supported version/release/platform of the product.
5.5
5.5.1.1
IT11349
ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/ntexch/v551/



Tivoli Storage FlashCopy Manager for Windows
    Includes fix for the following components:
    - Tivoli Storage FlashCopy Manager MMC Snapin and Base System Services
    - Tivoli Storage FlashCopy Manager for Microsoft SQL Server
    - Tivoli Storage FlashCopy Manager for Microsoft Exchange Server
Affected V.R
Fixing VRMF
APAR
Remediation/First Fix
4.1
4.1.4
IT11349
ftp://public.dhe.ibm.com/storage/tivoli-storage-flashcopymanager/maintenance/v4r1/windows/v414
3.2
3.2.1.8
IT11349
Note that 3.2.1.8 is no longer available for download. You can download 3.2.1.9 to obtain the fix:ftp://public.dhe.ibm.com/storage/tivoli-storage-flashcopymanager/patches/v3r2/windows/v321/
3.1
3.1.1.6
IT11349
Fixes for release 3.1 are no longer available for download as this release is no longer supported. Customers requiring fixes should upgrade to the latest release which contains the most recent security fixes. Contact IBM Support with any questions.
2.2
None
IT11349
This release reached end of support on September 30, 2015. Support extensions are not available for this release. IBM recommends upgrading to a fixed, supported version/release/platform of the product.
2.1
None
IT11349
This release reached end of support on April 30, 2015. Support extensions are not available for this release. IBM recommends upgrading to a fixed, supported version/release/platform of the product.

Workarounds and Mitigations

  • Do not change the TSM password while application tracing is enabled.
  • Delete any existing application trace output files to prevent possible exposure of passwords that may be contained within them.

Get Notified about Future Security Bulletins

References

Complete CVSS v3 Guide
On-line Calculator v3

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Password Disclosure via FlashCopy Manager on Windows, Data Protection for Exchange, and Data Protection for SQL CVE-2015-4949, CVE 2015-6557
http://www.ibm.com/support/docview.wss?uid=swg21963630

Change History

13 April 2018 - Fix 3.2 and 3.1 download information
28 March 2016: The FlashCopy Manager on WIndows 3.1.1.6 fix has been delivered. The target delivery date was replaced with a link to the fix download location.
22 March 2016: The Data Protection for Microsoft Exchange Server 6.3.1.6 fix has been delivered. The target delivery date was replaced with a link to the fix download location.
7 March 2016: The Data Protection for Microsoft SQL Server 5.5.6.2 fix has been delivered. The target delivery date was replaced with a link to the fix download location.
23 February 2016: The Tivoli Storage FlashCopy Manager on Windows 3.2.1.8 fix has been delivered. The target delivery date was replaced with a link to the fix download location.
8 February 2016: The Data Protection for Microsoft Exchange 6.4.1.8 fix has been delivered. The target delivery date was replaced with a link to the fix download location.
11 December 2015: The Tivoli Storage FlashCopy Manager for Windows 4.1.4 fix has been delivered. The target delivery date was replaced with a link to the fix download location.
11 December 2015: The Data Protection for Microsoft Exchange Server 7.1.4 fix has been delivered. The target delivery date was replaced with a link to the fix download location.
11 December 2015: The Data Protection for Microsoft SQL Server 7.1.4 fix has been delivered. The target delivery date was replaced with a link to the fix download location.
7 December 2015: The Data Protection for Microsoft SQL Server 6.3.1.6 fix has been delivered. The target delivery date was replaced with a link to the fix download location.
30 November 2015: The Data Protection for Microsoft SQL Server 6.4.1.8 fix has been delivered. The target delivery date was replaced with a link to the fix download location.
6 November 2015: Original version published.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Cross reference information
Segment Product Component Platform Version Edition
Storage Management Tivoli Storage Manager for Mail Data Protection for MS Exchange Windows 5.5, 6.1, 6.3, 6.4, 7.1
Storage Management Tivoli Storage FlashCopy Manager Windows 2.1, 2.2, 3.1, 3.2, 4.1

Document information

More support for: Tivoli Storage Manager for Databases
Data Protection for MS SQL

Software version: 5.5, 6.3, 6.4, 7.1

Operating system(s): Windows

Reference #: 1969514

Modified date: 16 April 2018