When using IBM Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server or IBM Tivoli Storage FlashCopy Manager for Microsoft SQL Server, the Microsoft SQL Server’s user ID and password is presented in plain text via task completion status details available within the MMC GUI’s Task List view.
CVEID: CVE-2016-3059**
DESCRIPTION:** IBM Tivoli Storage Manager for Database (SQL) stores the user ID and password of a Microsoft SQL Server is in plain text via the Task List information available within the MMC GUI interface.
CVSS Base Score: 6.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114864 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
The following levels of IBM Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server (IBM Spectrum Protect for Databases) are affected:
The following levels of IBM Tivoli Storage FlashCopy Manager for Microsoft SQL Server (IBM Spectrum Protect Snapshot) are affected:
Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server Release
| First
Fixing
VRM Level|Link to Fix / Fix Availability Target
—|—|—
6.4| 6.4.1.9| <ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/sql/v641/windows/>
6.3| 6.3.1.7| ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/sql/v631/windows/
Tivoli Storage FlashCopy Manager for Microsoft SQL Server Release|First
Fixing
VRM Level|Link to Fix / Fix Availability Target
—|—|—
3.2| 3.2.1.9| ftp://public.dhe.ibm.com/storage/tivoli-storage-flashcopymanager/patches/v3r2/windows/v321/
3.1| 3.1.1.7| Fixes for release 3.1 are no longer available for download as this release is no longer supported. Customers requiring fixes should upgrade to the latest release which contains the most recent security fixes. Contact IBM Support with any questions.
Set the “Use Microsoft Windows authentication” option instead of the “Use SQL Server authentication” option to allow authentication to the Microsoft SQL Server via a trusted Microsoft Windows connection.
If you can not utilize the “Use Microsoft SQL Server authentication” option, manually clear the Task List from the MMC GUI interface after every operation. To remove a Task List entry, click on the Task and then click on the “Remove” button. You can also remove all completed tasks from the Task List using the “Remove Completed” option.