May 2, 2017 10:00 am EDT
Categorized: Medium Severity
When using the “set password” Tivoli Storage Manger (IBM Spectrum Protect) client command, the full text of the command and included password is written to the instrumentation log file if instrumentation tracing is enabled. For 7.1.6.0 and higher, instrumentation tracing is enabled by default but can be disabled by using the ENABLEINSTRUMENTATION NO setting. Prior to 7.1.6.0, instrumentation tracing was enabled by using the INSTRUMENT:* testflag.
CVE(s): CVE-2016-8916
Affected product(s) and affected version(s):
The following levels of IBM Tivoli Storage Manager (IBM Spectrum Protect) Client are affected:
- 7.1.0.0 through 7.1.6.4
- 6.4.0.0 through 6.4.3.4
- 6.3, 6.2, 6.1, and 5.5 all levels (these releases are EOS)
Note that 8.1.0.0 is not affected as the fix has been included in this version.
Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2psdetv
X-Force Database: http://ift.tt/2qtU2K2
from IBM Product Security Incident Response Team http://ift.tt/2prZqiE
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.