Tivoli Storage Manager (IBM Spectrum Protect) Server is affected by an IBM DB2 software vulnerability that can result in a local user gaining root level access to which the user is not entitled.
CVEID: CVE-2016-5995**
DESCRIPTION:** DB2 for Linux, Unix and Windows is vulnerable to a privilege escalation due to code being built with binaries with libraries in insecure locations. A local user could place a malicious library in a location that a SETGID or SETUID binary would execute and gain root level access.
CVSS Base Score: 8.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116653 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
This vulnerability affects the following IBM Tivoli Storage Manager (IBM Spectrum Protect) Server levels:
Note that this vulnerability has been fixed in 8.1.0.0.
_ _
Tivoli Storage Manager Server Release
| Fixing
VRM
Level|**_
Platform_|Link to Fix / Fix Availability Target**
—|—|—|—
7.1| 7.1.7.100| AIX
HP-UX
Linux| https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Tivoli&product=ibm/Tivoli/Tivoli+Storage+Manager&release=7.1.7.100&platform=All&function=all
6.3| 6.3.6.100| Linux| https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Tivoli&product=ibm/Tivoli/Tivoli+Storage+Manager&release=6.3.6.100&platform=All&function=all
None