Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM1251A33DCB567CF2D9A958D85BB667D6660852C02C96009CC9BF253D458EEE08
HistoryJun 17, 2018 - 3:14 p.m.

Security Bulletin: Tivoli Storage Manager for Virtual Environments: Data Protection for VMware and Tivoli Storage FlashCopy Manager for VMware affected by privilege escalation vulnerability (CVE-2015-7429)

2018-06-1715:14:34
www.ibm.com
7

EPSS

0.001

Percentile

47.7%

JSON

Summary

The IBM Data Protection Extension in the VMware GUI component of IBM Tivoli Storage Manager for Virtual Environments: Data Protection for VMware (IBM Spectrum Protect for Virtual Environments) and IBM Tivoli Storage FlashCopy Manager for VMware (IBM Spectrum Protect Snapshot) are subject to a privilege escalation vulnerability that can result in an authenticated user being able to restore a virtual machine even though the user does not have the required privilege for this operation.

Vulnerability Details

CVEID: CVE-2015-7429**
DESCRIPTION:** The IBM Data Protection Extension in the Tivoli Storage Manager and FlashCopy Manager Data Protection for VMware GUI has a privilege escalation vulnerability. When the IBM Data Protection Extension is installed in the VMware vSphere Web Client GUI, it is possible for an authenticated user to select an existing virtual machine from the vSphere inventory and perform a Restore operation even though the user does not have the required privilege for the operation. The restore operation will not overwrite the existing virtual machine, but instead will create a new virtual machine with the same data as the existing virtual machine. After the restore creates the new virtual machine, the user can access its unencrypted data, regardless of their access permissions to the existing virtual machine data.
CVSS Base Score: 8.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107858 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

The affected GUI is part of the following products and versions:

  • Tivoli Storage Manager for Virtual Environments: Data Protection for VMware 7.1.0.0 through 7.1.3.x
  • Tivoli Storage FlashCopy Manager for VMware 4.1.0.0 through 4.1.3.x

Remediation/Fixes

Tivoli Storage Manager for VE: Data Protection for VMware Release

| First Fixing VRMF Level|**_

Client_** Platform|Link to Fix / Fix Availability Target
—|—|—|—
7.1| 7.1.4| Linux
Windows| <http://www.ibm.com/support/docview.wss?uid=swg24041094&gt;

Tivoli Storage
FlashCopy Manager for VMware Release|_
First Fixing VRMF Level_|_
Client_ Platform|**_

Link to Fix / Fix Availability Target_**
—|—|—|—
4.1| 4.1.4| Linux| <http://www.ibm.com/support/docview.wss?uid=swg24041139&gt;

Workarounds and Mitigations

None

Related

cve 1
prion 1
nvd 1
cvelist 1
nessus 2
cve
cve
CVE-2015-7429
2016-01-02 05:59:06
prion
prion
Design/Logic Flaw
2016-01-02 05:59:00
nvd
nvd
CVE-2015-7429
2016-01-02 05:59:06
cvelist
cvelist
CVE-2015-7429
2016-01-02 02:00:00
nessus
nessus
IBM TSM for Virtual Environments 6.3.x < 6.3.2.5 / 6.4.x < 6.4.3.1 / 7.1.x < 7.1.4.0 RCE
2016-01-08 00:00:00
IBM Tivoli Storage FlashCopy Manager for VMware 3.1.x < 3.1.1.3 / 3.2.x < 3.2.0.6 / 4.1.x < 4.1.4.0 Command Execution
2016-01-08 00:00:00

EPSS

0.001

Percentile

47.7%

JSON
Related for 1251A33DCB567CF2D9A958D85BB667D6660852C02C96009CC9BF253D458EEE08
cve1prion1nvd1cvelist1nessus2