IBM Spectrum Protect 7.1.x < 7.1.9.300 / 8.1.x < 8.1.8 Multiple Vulnerabilities

High Nessus Plugin ID 126987

Synopsis

The backup service installed on the remote host is affected by multiple vulnerabilities.

Description

IBM Spectrum Protect, formerly known as Tivoli Storage Manager, installed on the remote host is version 7.1.x < 7.1.9.300 or 8.1.x < 8.1.8. It is, therefore, affected by multiple IBM Db2 remote code execution and privilege escalation vulnerabilities. These vulnerabilities could allow an attacker to gain system-level access to the affected host.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to IBM Spectrum Protect 7.1.9.300 or 8.1.8 or later.

See Also

http://www.ibm.com/support/docview.wss?uid=ibm10882974

Plugin Details

Severity: High

ID: 126987

File Name: ibm_spectrum_protect_8_1_8.nasl

Version: 1.3

Type: combined

Family: General

Published: 2019/07/24

Updated: 2020/02/28

Dependencies: 25656, 100719

Risk Information

Risk Factor: High

CVSS Score Source: CVE-2019-4094

CVSS v2.0

Base Score: 7.2

Temporal Score: 5.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:ibm:tivoli_storage_manager, x-cpe:/a:ibm:spectrum_protect

Exploit Ease: No known exploits are available

Patch Publication Date: 2019/06/28

Vulnerability Publication Date: 2019/06/28

Reference Information

CVE: CVE-2018-1922, CVE-2018-1923, CVE-2018-1936, CVE-2018-1978, CVE-2018-1980, CVE-2019-4014, CVE-2019-4015, CVE-2019-4016, CVE-2019-4094

BID: 107398, 107439, 107686, 107985