IBM Security Bulletin: vCenter password disclosure via application tracing in IBM Tivoli Storage Manager Client and IBM Tivoli Storage Manager for Virtual Environments:Data Protection for VMware (CVE-2016-6110)

The IBM Tivoli Storage Manager Client may display the obfuscated VMware vCenter userID and password during VM backup with the INCLUDE.VMTSMVSS option when application tracing is enabled with VMTSMVSS flag. This problem only manifests when the Tivoli Storage Manager Client is used as the IBM Tivoli Storage Manager for Virtual Environments: Data Protection for VMware data mover.

CVE(s): CVE-2016-6110

Affected product(s) and affected version(s):

This security exposure affects:

• Tivoli Storage Manager (IBM Spectrum Protect) Client levels 7.1.0.0 through 7.1.6.3
• Tivoli Storage Manager for Virtual Environments (IBM Spectrum Protect for Virtual Environments): Data Protection for VMware levels 7.1.0.0 through 7.1.6.3.

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2ifcK3C
X-Force Database: http://ift.tt/2jepr30

from IBM Product Security Incident Response Team http://ift.tt/2if6LMn