#VU8672 Information disclosure in Spectrum Protect Server - CVE-2017-1339
Published: October 4, 2017 / Updated: December 6, 2017
Vulnerability identifier: #VU8672
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-1339
CWE-ID: CWE-200
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Spectrum Protect Server
Spectrum Protect Server
Software vendor:
IBM Corporation
IBM Corporation
Description
The vulnerability allows a local attacker to obtain potentially sensitive information.
The weakness exists due to use of weak encryption for the password. A database administrator can decrypt the client or administrator password to disclose important data or cause DoS condition on the target system.
The weakness exists due to use of weak encryption for the password. A database administrator can decrypt the client or administrator password to disclose important data or cause DoS condition on the target system.
Remediation
Update 7.1.x to version 7.1.8.
Update 8.1.x to version 8.1.2/8.1.3 (Although the issue has been fixed in 8.1.2, IBM recommends to upgrade to 8.1.3).
Update 8.1.x to version 8.1.2/8.1.3 (Although the issue has been fixed in 8.1.2, IBM recommends to upgrade to 8.1.3).