IBM8A2DD64E1A19D6DDFA9BEAE4CFAF931B35652E0994663C3774FA007B534CFBBASecurity Bulletin: Password Disclosure via FlashCopy Manager on Windows, Data Protection for Exchange, and Data Protection for SQL CVE-2015-4949, CVE 2015-6557
0.001 Low
EPSS
Percentile
20.0%
Summary
The password associated with Tivoli Storage Manager or the Microsoft SQL DB user is displayed in plain text via application pop-up messages for failed operations and in application trace output.
Vulnerability Details
CVEID: CVE-2015-4949**
DESCRIPTION:** IBM Tivoli Storage Manager for Databases could allow a local user to see error messages that contain the plain text passwords of users.
When using one of the following applications:
- Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server
- Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server
- Tivoli Storage FlashCopy Manager on Windows
pop-up error messages associated with an exception condition generated during a failed backup, restore, or query operation will display the Tivoli Storage Manager password and/or the Microsoft SQL DB user’s password in plain text.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104953 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N)
CVEID: CVE 2015-6557**
DESCRIP****TION:**
When application tracing is enabled, these passwords are displayed in plain text in the trace output.
In all cases, the passwords displayed are passwords that the logged in user executing the operation would already know or have access to via their login credentials.
CVSS Base Score: 5.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/106385> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
In the context of pop-up error messages:
- Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server 7.1
- Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server 7.1
- Tivoli Storage FlashCopy Manager MMC Snapin and Base System Services 4.1 (for File System backups)
- Tivoli Storage FlashCopy Manager for Microsoft SQL Server 4.1
- Tivoli Storage FlashCopy Manager for Microsoft Exchange Server 4.1
In the context of application tracing:
- Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server 5.5, 6.3, 6.4, and 7.1
- Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server 5.5, 6.1, 6.3, 6.4, and 7.1
- Tivoli Storage FlashCopy Manager MMC Snapin and Base System Services 3.1, 3.2, and 4.1
- Tivoli Storage FlashCopy Manager for Microsoft SQL Server 3.1, 3.2, and 4.1
- Tivoli Storage FlashCopy Manager for Microsoft Exchange Server 3.1, 3.2, and 4.1
Remediation/Fixes
Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server
| Affected V.R | Fixing VRMF | APAR | Remediation/First Fix |
|---|---|---|---|
| 7.1 | 7.1.2 | IT03480 | Note that 7.1.2 is no longer available for download. You can download 7.1.4 or higher to obtain the fix:ftp://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/tivoli-data-protection/ntsql/v714/ |
| 6.4 | 6.4.1.7 | IT03480 | Note that 6.4.1.7 is no longer available for download. You can download 6.4.1.9 to obtain the fix:ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/sql/v641/windows/ |
| 6.3 | 6.3.1.5 | IT03480 | Note that 6.3.1.5 is no longer available for download. You can download 6.3.1.7 to obtain the fix:<ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/sql/v631/windows/> |
| 5.5 | 5.5.6.1 | IT03480 | Note that 5.5.6.1 is no longer available for download. You can download 5.5.6.2 to obtain the fix:<ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/sql/v556/> |
Tivoli Storage FlashCopy Manager: FlashCopy Manager for Windows
Includes fix for the following components:
- Tivoli Storage FlashCopy Manager MMC Snapin and Base System Services
- Tivoli Storage FlashCopy Manager for Microsoft SQL Server
| - Tivoli Storage FlashCopy Manager for Microsoft Exchange Server Affected V.R | Fixing VRMF | APAR | Remediation/First Fix |
|---|---|---|---|
| 4.1 | 4.1.2 | IT03480 | Note that 4.1.2 is no longer available for download. You can download 4.1.4 or higher to obtain the fix:[ |
| ftp://public.dhe.ibm.com/storage/tivoli-storage-flashcopymanager/maintenance/v4r1/windows/v414/](<ftp://public.dhe.ibm.com/storage/tivoli-storage-flashcopymanager/maintenance/v4r1/windows/v414/>) | |||
| 3.2 | 3.2.1.7 | IT03480 | Note that 3.2.1.7 is no longer available for download. You can download 3.2.1.9 to obtain the fix:ftp://public.dhe.ibm.com/storage/tivoli-storage-flashcopymanager/patches/v3r2/windows/v321/ |
| 3.1 | 3.1.1.5 | IT03480 | Fixes for release 3.1 are no longer available for download as this release is no longer supported. Customers requiring fixes should upgrade to the latest release which contains the most recent security fixes. Contact IBM Support with any questions. |
| 2.2 | None | IT03480 | This release reached end of support on April 30, 2015. Support extensions are not available for this release. IBM recommends upgrading to a fixed, supported version/release/platform of the product. |
| 2.1 | None | IT03480 | This release reached end of support on September 30, 2015. Support extensions are not available for this release. IBM recommends upgrading to a fixed, supported version/release/platform of the product. |
Workarounds and Mitigations
In the context of the pop-up error messages (which only affects the 7.1 and 4.1 releases of the affected software), use one of the following options to mitigate the problem:
- As pop-up messages are only displayed when using the GUI interface. The command line interface (CLI) is not affected and could be used as a workaround to this problem.
- Use Windows authentication instead of SQL Server Authentication.
- Use “generate” as a value for “passwordaccess” option and make sure that a valid password has been stored in the registry.
In the context of application tracing, , use one of the following options to mitigate the problem:
- Do not to enable application tracing.
- Use Windows authentication instead of SQL Server Authentication.
- Use “generate” as a value for “passwordaccess” option and make sure that a valid password has been stored in the registry.
Related
0.001 Low
EPSS
Percentile
20.0%