CVE-2018-1447

MEDIUM

IBM Spectrum Protect <7.2 - Password Weakness

Title source: llm

Description

The GSKit (IBM Spectrum Protect 7.1 and 7.2) and (IBM Spectrum Protect Snapshot 4.1.3, 4.1.4, and 4.1.6) CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. IBM X-Force ID: 139972.

References (7)

[Patch, Vendor Advisory] http://www.ibm.com/support/docview.wss?uid=swg22015066

[Patch, Vendor Advisory] http://www.ibm.com/support/docview.wss?uid=swg22014957

[VDB Entry, Vendor Advisory] https://exchange.xforce.ibmcloud.com/vulnerabilities/139972

[Patch, Vendor Advisory] http://www.ibm.com/support/docview.wss?uid=swg22015071

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/104511

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1041012

[Patch, Vendor Advisory] http://www.ibm.com/support/docview.wss?uid=swg22014669

Scores

CVSS v3 5.1

EPSS 0.0008

EPSS Percentile 23.5%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-916

Status published

Products (3)

ibm/spectrum_protect_for_space_management 7.1.0.0 - 7.1.8.1

ibm/spectrum_protect_for_virtual_environments 7.1.0.0 - 7.1.8.0

ibm/spectrum_protect_snapshot 4.1.0.0 - 4.1.6.3

Published Apr 04, 2018

Tracked Since Feb 18, 2026