Tivoli Storage Manager (IBM Spectrum Protect) SQL interface is vulnerable to unauthorized access to user credentials and product sensitive information.
CVEID: CVE-2016-8940**
DESCRIPTION:** IBM Tivoli Storage Manager (IBM Spectrum Protect) does not perform sufficient authority checking on SQL queries. As a result, any administrator, regardless of their authority, is able to submit SQL queries that access database tables that are not intended for access or use by administrators. The access of these product specific database tables may allow access to passwords or other sensitive information for the product.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118791 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
This vulnerability affects the following IBM Tivoli Storage Manager (IBM Spectrum Protect) Server levels:
Note that this vulnerability has been fixed in 8.1.0.0.
_ _
Tivoli Storage Manager Server Release
| Fixing
VRM
Level|**_
Platform_|Link to Fix / Fix Availability Target**
—|—|—|—
7.1| 7.1.7.100| AIX
HP-UX
Linux
Solaris
Windows| https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Tivoli&product=ibm/Tivoli/Tivoli+Storage+Manager&release=7.1.7.100&platform=All&function=all
6.3| 6.3.6.100| AIX
HP-UX
Linux
Solaris
Windows| https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Tivoli&product=ibm/Tivoli/Tivoli+Storage+Manager&release=6.3.6.100&platform=All&function=all
6.2 and 6.1|
|
| Customers on these releases can upgrade the server to a fixed level (7.1.7.100 or 6.3.6.100). Contact IBM Support if you have any questions.
None