IBM Spectrum Protect (formerly Tivoli Storage Manager) Server is affected by multiple IBM DB2 vulnerabilities that could allow exposure of sensitive information to the local user or elevation of privileges.
CVEID: CVE-2017-1434**
DESCRIPTION:** IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) under unusual circumstances, could expose highly sensitive information in the error log to a local user.
CVSS Base Score: 5.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/127806 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2017-1438**
DESCRIPTION:** IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow a local user with DB2 instance owner privileges to obtain root access.
CVSS Base Score: 6.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/128057 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2017-1439**
DESCRIPTION:** IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow a local user with DB2 instance owner privileges to obtain root access.
CVSS Base Score: 6.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/128058 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2017-1451**
DESCRIPTION:** IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow a local user with DB2 instance owner privileges to obtain root access.
CVSS Base Score: 6.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/128178 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2017-1452**
DESCRIPTION:** IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow a local user to obtain elevated privilege and overwrite DB2 files.
CVSS Base Score: 6.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/128180 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
This vulnerability affects the following IBM Spectrum Protect (formerly Tivoli Storage Manager) Server levels:
_ _
IBM Spectrum Protect (Tivoli Storage Manager) Server Release
| First Fixing
VRM
Level|**_
Platform_|Link to Fix / Fix Availability Target**
—|—|—|—
8.1| 8.1.4| AIX
Linux
Windows| <ftp://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/server/v8r1/>
Note 8.1.5 also contains the fix and may be used.
7.1| 7.1.9| AIX
HP-UX
Linux
Solaris
Windows| <ftp://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/server/v7r1/>
6.3 and below|
|
| 6.3 and below are EOS. Customers on these releases can upgrade the server to a fixed level (8.1.4 or 7.1.9).
Note that 6.4 shipped with 6.3 servers.
None