The IBM Spectrum Protect (formerly Tivoli Storage Manager) Server is affected by an IBM Db2 vulnerability that could allow a local user to overwrite arbitrary files owned by the Db2 instance owner.
UPDATED 1/16/2019: Changed “First Fixing VRM Level” in Remediation/Fixes table for 8.1 from 8.1.6 to 8.1.6.100.
UPDATED 6/28/2019: Added fix for 7.1.
CVEID: CVE-2018-1448 DESCRIPTION: IBM Db2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1 (includes Db2 Connect Server) contains a vulnerability that could allow a local user to overwrite arbitrary files owned by the Db2 instance owner. IBM X-Force ID: 140043.
CVSS Base Score: 7.7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/140043> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)
This vulnerability affects the IBM Spectrum Protect (formerly Tivoli Storage Manager) Server levels:
IBM Spectrum Protect
Server Release | First Fixing
VRM Level | Platform | Link to Fix
—|—|—|—
8.1 | 8.1.6.100 | AIX
Linux
Windows |
<ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/server>
7.1
|
7.1.9.300
|
AIX
HP-UX
Linux
Solaris
Windows
|
<ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/server/>
.
None