In environments with duplicated mailbox aliases, FlashCopy Manager for Microsoft Exchange, Data Protection for Microsoft Exchange, and FastBack for Microsoft Exchange may open and restore the wrong mailbox.
CVEID: CVE-2015-4950**
DESCRIPTION:** IBM Tivoli Storage FlashCopy Manager, Tivoli Storage Manager for Mail, and Tivoli Storage Manager FastBack for Microsoft Exchange could allow a local user with elevated privileges to obtain sensitive information by manipulating mailbox names that share the same alias.
For example:
Mailbox Display Name Alias
mailbox1 sales
mailbox2 sales
When two mailboxes have the same alias, users may encounter the following problems when using affected software:
In the case of the product, Tivoli Storage Manager Fastback for Microsoft Exchange, the software may also open the wrong mailbox when using the “Open Mailbox” function. Subsequently, folders and messages could be restored to that incorrect mailbox.
CVSS Base Score: 4.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104954 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)
Tivoli Storage FlashCopy Manager for Microsoft Exchange Server 2.1, 2.2, 3.1, 3.2, and 4.1
Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server 6.1, 6.3, 6.4, and 7.1
Tivoli Storage Manager Fastback for Microsoft Exchange 6.1
Tivoli Storage FlashCopy Manager: FlashCopy Manager for Microsoft Exchange Server
Affected V.R | Fixing VRMF | APAR | Remediation/First Fix |
---|---|---|---|
4.1 | 4.1.1 | IT04251 | Note that 4.1.1 is no longer available for download. You can download 4.1.4 or higher to obtain the fix:<ftp://public.dhe.ibm.com/storage/tivoli-storage-flashcopymanager/maintenance/v4r1/windows/v414/> |
3.2 | 3.2.1.7 | IT04251 | Note that 3.2.1.7 is no longer available for download. You can download 3.2.1.9 to obtain the fix: |
<ftp://public.dhe.ibm.com/storage/tivoli-storage-flashcopymanager/patches/v3r2/windows/v321/> |
However, this product bundles Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange 6.4.x as the FlashCopy Manager for Microsoft Exchange 3.2.x component. Therefore, you may install and use the 6.4.1.4 fix from the table below to resolve this vulnerability for the FlashCopy Manager for Microsoft Exchange software.
3.1| None| IT04251| This product bundles Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange 6.3.x as the FlashCopy Manager for Microsoft Exchange 3.1.x component. Therefore, you may install and use the 6.3.1.3 fix from the table below to resolve this vulnerability for the FlashCopy Manager for Microsoft Exchange software.
2.2| None| IT04251| This product bundles Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange 6.1.x as the FlashCopy Manager for Microsoft Exchange 2.2.x component. Therefore, you may install and use the 6.1.3.6 fix from the table below to resolve this vulnerability for the FlashCopy Manager for Microsoft Exchange software.
2.1| None| IT04251| This release of the product is end of support and is not eligible for support extensions. Therefore, no fix is planned. IBM recommends upgrading to a fixed, supported version/release/platform of the product.
However, this product bundles Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange 6.1.x as the FlashCopy Manager for Microsoft Exchange 2.1.x component. Therefore, you may install and use the 6.1.3.6 fix from the table below to resolve this vulnerability for the FlashCopy Manager for Microsoft Exchange software.
Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server****Affected V.R | Fixing VRMF | APAR | Remediation/First Fix |
---|---|---|---|
7.1 | 7.1.0.2 | IT04251 | Download packages for Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server 7.1.0 interim fix packages (7.1.0.x) and READMEs have been removed from the web as they contain unremediated security vulnerabilities. The latest version of 7.1 (7.1.6) contains fixes for the most recent known security and product issues, and can be found using this link: |
http://www.ibm.com/support/docview.wss?uid=swg24042166 | |||
If you have any questions, please contact IBM support. | |||
6.4 | 6.4.1.4 | IT04251 | Note that 6.4.1.4 is no longer available for download. You can download 6.4.1.9 to obtain the fix:ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/ntexch/v641/windows/ |
6.3 | 6.3.1.3 | IT04251 | Note that 6.3.1.3 is no longer available for download. You can download 6.3.1.6 to obtain the fix:<ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/ntexch/v631/windows/> |
6.1 | 6.1.3.6 | IT04251 | <ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/ntexch/v613/x64/> |
Tivoli Storage Manager FastBack for Microsoft Exchange**Affected V.R** | Fixing VRMF | APAR | Remediation/First Fix |
---|---|---|---|
6.1 | 6.1.5.4 | IT04252 | http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Tivoli&product=ibm/Tivoli/IBM+Tivoli+Storage+Manager+FastBack+for+Microsoft+Exchange&release=6.1.5.3&platform=Windows&function=all |
For the products:
- Tivoli Storage FlashCopy Manager: FlashCopy Manager for Microsoft Exchange
- Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange
two workarounds exist for this problem:
For the product:
- Tivoli Storage Manager FastBack for Microsoft Exchange
three workarounds exist for this problem:
1)) Open a PST file and restore messages to the PST file. Then, import the PST file contents into the mailbox.
2) Restore messages using the “SMTP Restore” option
3) Use the Microsoft Exchange Management Console or Powershell commands to rename the duplicated mailbox alias to a unique value.