CVE-2018-1447 - OpenCVE

The GSKit (IBM Spectrum Protect 7.1 and 7.2) and (IBM Spectrum Protect Snapshot 4.1.3, 4.1.4, and 4.1.6) CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. IBM X-Force ID: 139972.

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Ibm	Spectrum Protect Snapshot Spectrum Protect For Virtual Environments Spectrum Protect For Space Management

Configuration 1 [-]

OR	cpe:2.3:a:ibm:spectrum_protect_for_space_management::::::vmware::*
	cpe:2.3:a:ibm:spectrum_protect_for_space_management::::::vmware::*
	cpe:2.3:a:ibm:spectrum_protect_for_virtual_environments::::::vmware::*
	cpe:2.3:a:ibm:spectrum_protect_for_virtual_environments::::::vmware::*

Configuration 2 [-]

cpe:2.3:a:ibm:spectrum_protect_snapshot:*:*:*:*:*:vmware:*:*

References

Link	Resource
http://www.ibm.com/support/docview.wss?uid=swg22014669	Patch Vendor Advisory
http://www.ibm.com/support/docview.wss?uid=swg22014957	Patch Vendor Advisory
http://www.ibm.com/support/docview.wss?uid=swg22015066	Vendor Advisory Patch
http://www.ibm.com/support/docview.wss?uid=swg22015071	Patch Vendor Advisory
http://www.securityfocus.com/bid/104511
http://www.securitytracker.com/id/1041012
https://exchange.xforce.ibmcloud.com/vulnerabilities/139972	VDB Entry Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: ibm

Published: 2018-03-29T00:00:00

Updated: 2018-10-12T09:57:01

Reserved: 2017-12-13T00:00:00

Link: CVE-2018-1447

JSON object: View

NVD Information

Status : Modified

Published: 2018-04-04T18:29:02.293

Modified: 2019-10-03T00:03:26.223

Link: CVE-2018-1447

JSON object: View

Redhat Information

No data.

CWE

CWE-916

{"containers": {"cna": {"affected": [{"product": "Spectrum Protect", "vendor": "IBM", "versions": [{"status": "affected", "version": "7.1"}, {"status": "affected", "version": "8.1"}]}, {"product": "Spectrum Protect Snapshot", "vendor": "IBM", "versions": [{"status": "affected", "version": "4.1.3"}, {"status": "affected", "version": "4.1.4"}, {"status": "affected", "version": "4.1.6"}]}, {"product": "Spectrum Protect for Virtual Environments", "vendor": "IBM", "versions": [{"status": "affected", "version": "7.1"}, {"status": "affected", "version": "8.1"}]}, {"product": "Spectrum Protect for Space Management", "vendor": "IBM", "versions": [{"status": "affected", "version": "7.1"}, {"status": "affected", "version": "8.1"}]}], "datePublic": "2018-03-29T00:00:00", "descriptions": [{"lang": "en", "value": "The GSKit (IBM Spectrum Protect 7.1 and 7.2) and (IBM Spectrum Protect Snapshot 4.1.3, 4.1.4, and 4.1.6) CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. IBM X-Force ID: 139972."}], "metrics": [{"cvssV3_0": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/A:N/AC:H/AV:L/C:H/I:N/PR:N/S:U/UI:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "Obtain Information", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-12T09:57:01", "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://www.ibm.com/support/docview.wss?uid=swg22015066"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.ibm.com/support/docview.wss?uid=swg22014957"}, {"tags": ["x_refsource_MISC"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/139972"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.ibm.com/support/docview.wss?uid=swg22015071"}, {"name": "104511", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/104511"}, {"name": "1041012", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1041012"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.ibm.com/support/docview.wss?uid=swg22014669"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@us.ibm.com", "DATE_PUBLIC": "2018-03-29T00:00:00", "ID": "CVE-2018-1447", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Spectrum Protect", "version": {"version_data": [{"version_value": "7.1"}, {"version_value": "8.1"}]}}, {"product_name": "Spectrum Protect Snapshot", "version": {"version_data": [{"version_value": "4.1.3"}, {"version_value": "4.1.4"}, {"version_value": "4.1.6"}]}}, {"product_name": "Spectrum Protect for Virtual Environments", "version": {"version_data": [{"version_value": "7.1"}, {"version_value": "8.1"}]}}, {"product_name": "Spectrum Protect for Space Management", "version": {"version_data": [{"version_value": "7.1"}, {"version_value": "8.1"}]}}]}, "vendor_name": "IBM"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The GSKit (IBM Spectrum Protect 7.1 and 7.2) and (IBM Spectrum Protect Snapshot 4.1.3, 4.1.4, and 4.1.6) CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. IBM X-Force ID: 139972."}]}, "impact": {"cvssv3": {"BM": {"A": "N", "AC": "H", "AV": "L", "C": "H", "I": "N", "PR": "N", "S": "U", "UI": "N"}}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Obtain Information"}]}]}, "references": {"reference_data": [{"name": "http://www.ibm.com/support/docview.wss?uid=swg22015066", "refsource": "CONFIRM", "url": "http://www.ibm.com/support/docview.wss?uid=swg22015066"}, {"name": "http://www.ibm.com/support/docview.wss?uid=swg22014957", "refsource": "CONFIRM", "url": "http://www.ibm.com/support/docview.wss?uid=swg22014957"}, {"name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/139972", "refsource": "MISC", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/139972"}, {"name": "http://www.ibm.com/support/docview.wss?uid=swg22015071", "refsource": "CONFIRM", "url": "http://www.ibm.com/support/docview.wss?uid=swg22015071"}, {"name": "104511", "refsource": "BID", "url": "http://www.securityfocus.com/bid/104511"}, {"name": "1041012", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1041012"}, {"name": "http://www.ibm.com/support/docview.wss?uid=swg22014669", "refsource": "CONFIRM", "url": "http://www.ibm.com/support/docview.wss?uid=swg22014669"}]}}}}, "cveMetadata": {"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "assignerShortName": "ibm", "cveId": "CVE-2018-1447", "datePublished": "2018-03-29T00:00:00", "dateReserved": "2017-12-13T00:00:00", "dateUpdated": "2018-10-12T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:spectrum_protect_for_space_management:*:*:*:*:*:vmware:*:*", "matchCriteriaId": "31FC674F-3915-4979-B51C-14A148CEA4DF", "versionEndIncluding": "7.1.8.1", "versionStartIncluding": "7.1.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:spectrum_protect_for_space_management:*:*:*:*:*:vmware:*:*", "matchCriteriaId": "793BB1A2-3389-4A33-BA0B-4D4DC250C4EA", "versionEndIncluding": "8.1.4.0", "versionStartIncluding": "8.1.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:spectrum_protect_for_virtual_environments:*:*:*:*:*:vmware:*:*", "matchCriteriaId": "49B34B53-BB27-41EC-8C37-6643F756DD6C", "versionEndIncluding": "7.1.8.0", "versionStartIncluding": "7.1.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:spectrum_protect_for_virtual_environments:*:*:*:*:*:vmware:*:*", "matchCriteriaId": "7F3049C6-8148-43CF-BB95-FEDED00F4D67", "versionEndIncluding": "8.1.4.0", "versionStartIncluding": "8.1.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:spectrum_protect_snapshot:*:*:*:*:*:vmware:*:*", "matchCriteriaId": "F7348DFA-F928-4A84-867B-966752268882", "versionEndIncluding": "4.1.6.3", "versionStartIncluding": "4.1.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The GSKit (IBM Spectrum Protect 7.1 and 7.2) and (IBM Spectrum Protect Snapshot 4.1.3, 4.1.4, and 4.1.6) CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. IBM X-Force ID: 139972."}, {"lang": "es", "value": "La l\u00f3gica KDB de GSKit (IBM Spectrum Protect 7.1 y 7.2) y CMS (IBM Spectrum Protect Snapshot 4.1.3, 4.1.4 y 4.1.6) no a\u00f1ade sal a la funci\u00f3n del hash, por lo que resulta en una protecci\u00f3n de contrase\u00f1as m\u00e1s d\u00e9bil de lo esperado. Podr\u00eda recuperarse una contrase\u00f1a d\u00e9bil. Nota: Tras actualizar, el cliente deber\u00eda cambiar la contrase\u00f1a para asegurarse de que la nueva contrase\u00f1a se almacena de forma m\u00e1s segura. Los productos deber\u00edan animar a los clientes a considerar este paso como muy prioritario. IBM X-Force ID: 139972."}], "id": "CVE-2018-1447", "lastModified": "2019-10-03T00:03:26.223", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 1.4, "impactScore": 3.6, "source": "psirt@us.ibm.com", "type": "Secondary"}]}, "published": "2018-04-04T18:29:02.293", "references": [{"source": "psirt@us.ibm.com", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.ibm.com/support/docview.wss?uid=swg22014669"}, {"source": "psirt@us.ibm.com", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.ibm.com/support/docview.wss?uid=swg22014957"}, {"source": "psirt@us.ibm.com", "tags": ["Vendor Advisory", "Patch"], "url": "http://www.ibm.com/support/docview.wss?uid=swg22015066"}, {"source": "psirt@us.ibm.com", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.ibm.com/support/docview.wss?uid=swg22015071"}, {"source": "psirt@us.ibm.com", "url": "http://www.securityfocus.com/bid/104511"}, {"source": "psirt@us.ibm.com", "url": "http://www.securitytracker.com/id/1041012"}, {"source": "psirt@us.ibm.com", "tags": ["VDB Entry", "Vendor Advisory"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/139972"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-916"}], "source": "nvd@nist.gov", "type": "Primary"}]}