Information disclosure in Spectrum Protect Server - CVE-2017-1339
Published: October 4, 2017 / Updated: December 6, 2017
Vulnerability identifier: #VU8672
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-1339
CWE-ID: CWE-200
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: IBM Corporation
Affected software:
Spectrum Protect Server
Spectrum Protect Server
Detailed vulnerability description
The vulnerability allows a local attacker to obtain potentially sensitive information.
The weakness exists due to use of weak encryption for the password. A database administrator can decrypt the client or administrator password to disclose important data or cause DoS condition on the target system.
The weakness exists due to use of weak encryption for the password. A database administrator can decrypt the client or administrator password to disclose important data or cause DoS condition on the target system.
How to mitigate CVE-2017-1339
Update 7.1.x to version 7.1.8.
Update 8.1.x to version 8.1.2/8.1.3 (Although the issue has been fixed in 8.1.2, IBM recommends to upgrade to 8.1.3).
Update 8.1.x to version 8.1.2/8.1.3 (Although the issue has been fixed in 8.1.2, IBM recommends to upgrade to 8.1.3).