When performing an archive and retrieve operation using a symbolic link, the IBM Tivoli Storage Manager (IBM Spectrum Protect) Client could allow a local user to access files they are otherwise not allowed to access.
CVEID: CVE-2016-2894**
DESCRIPTION:** IBM Tivoli Storage Manager could allow a local user to obtain sensitive information from other user’s files provided that user has performed an archive and retrieve operation, and has been done so using a symbolic link.
CVSS Base Score: 2.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113066 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
The following levels of IBM Tivoli Storage Manager (IBM Spectrum Protect) Client are affected:
Tivoli Storage Manager Client Release
| First
Fixing
VRM Level|APAR|Platform|Link to Fix / Fix Availability Target
—|—|—|—|—
7.1| 7.1.6| IT13686| AIX
HP-UX
Linux
Solaris| http://www.ibm.com/support/docview.wss?uid=swg24042350
6.4| 6.4.3.3| IT13686| AIX
HP-UX
Linux
Solaris| http://www.ibm.com/support/docview.wss?uid=swg24041144
6.3| 6.3.2.6| IT13686| AIX
HP-UX
Linux
Solaris| http://www.ibm.com/support/docview.wss?uid=swg24037930
6.2, 6.1, and 5.5| None| None| AIX
HP-UX
Linux
Solaris| Upgrade to a fixed level (7.1.6, 6.4.3.3, or 6.3.2.6).
None