CVE-2016-5927: Infoleak
First published: Mon Sep 12 2016(Updated: )
IBM Tivoli Storage Manager for Space Management (aka Spectrum Protect for Space Management) 6.3.x before 6.3.2.6, 6.4.x before 6.4.3.3, and 7.1.x before 7.1.6, when certain dsmsetpw tracing is configured, allows local users to discover an encrypted password by reading application-trace output.
Credit: psirt@us.ibm.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| IBM Tivoli Storage Manager for Space Management | =6.3.0 | |
| IBM Tivoli Storage Manager for Space Management | =6.3.2 | |
| IBM Tivoli Storage Manager for Space Management | =6.4.0 | |
| IBM Tivoli Storage Manager for Space Management | =6.4.0.0 | |
| IBM Tivoli Storage Manager for Space Management | =6.4.1 | |
| IBM Tivoli Storage Manager for Space Management | =6.4.2 | |
| IBM Tivoli Storage Manager for Space Management | =6.4.3 | |
| IBM Tivoli Storage Manager for Space Management | =7.1.0 | |
| IBM Tivoli Storage Manager for Space Management | =7.1.1 | |
| IBM Tivoli Storage Manager for Space Management | =7.1.2 | |
| IBM Tivoli Storage Manager for Space Management | =7.1.3 | |
| IBM Tivoli Storage Manager for Space Management | =7.1.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2016-5927?
CVE-2016-5927 is rated as moderately severe due to the risk of local users uncovering encrypted passwords.
How do I fix CVE-2016-5927?
To mitigate CVE-2016-5927, upgrade to IBM Tivoli Storage Manager for Space Management version 6.3.2.6, 6.4.3.3, or 7.1.6 or later.
Which IBM Tivoli Storage Manager for Space Management versions are affected by CVE-2016-5927?
CVE-2016-5927 affects IBM Tivoli Storage Manager for Space Management versions 6.3.0 to 6.3.2.5, 6.4.0 to 6.4.3.2, and 7.1.0 to 7.1.5.
Can local users exploit CVE-2016-5927?
Yes, local users can exploit CVE-2016-5927 by reading application-trace output to uncover an encrypted password.
Is there a workaround for CVE-2016-5927?
While upgrading is the most effective solution, limiting access to application-trace output may provide a temporary workaround for CVE-2016-5927.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/author
- agent/references
- agent/last-modified-date
- agent/severity
- agent/weakness
- agent/tags
- agent/first-publish-date
- agent/event
- agent/description
- agent/source
- vendor/ibm
- canonical/ibm tivoli storage manager for space management
- version/ibm tivoli storage manager for space management/6.3.0
- version/ibm tivoli storage manager for space management/6.3.2
- version/ibm tivoli storage manager for space management/6.4.0
- version/ibm tivoli storage manager for space management/6.4.0.0
- version/ibm tivoli storage manager for space management/6.4.1
- version/ibm tivoli storage manager for space management/6.4.2
- version/ibm tivoli storage manager for space management/6.4.3
- version/ibm tivoli storage manager for space management/7.1.0
- version/ibm tivoli storage manager for space management/7.1.1
- version/ibm tivoli storage manager for space management/7.1.2
- version/ibm tivoli storage manager for space management/7.1.3
- version/ibm tivoli storage manager for space management/7.1.4