#VU12308 Weak passwords requirements in Spectrum Protect Server and Spectrum Protect Snapshot - CVE-2018-1447
Published: May 1, 2018
Vulnerability identifier: #VU12308
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-1447
CWE-ID: CWE-521
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Spectrum Protect Server
Spectrum Protect Snapshot
Spectrum Protect Server
Spectrum Protect Snapshot
Software vendor:
IBM Corporation
IBM Corporation
Description
The vulnerability allows a local unauthenticated attacker to obtain potentially sensitive information on the target system.
The weakness exists due to the GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. A local attacker can gain access to potentially sensitive information.
The weakness exists due to the GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. A local attacker can gain access to potentially sensitive information.
Remediation
Install update from vendor's website.