CVE-2018-1447

MEDIUM

IBM Spectrum Protect <7.2 - Password Weakness

Title source: llm

Description

The GSKit (IBM Spectrum Protect 7.1 and 7.2) and (IBM Spectrum Protect Snapshot 4.1.3, 4.1.4, and 4.1.6) CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. IBM X-Force ID: 139972.

References (7)

[Patch, Vendor Advisory] http://www.ibm.com/support/docview.wss?uid=swg22014669

[Patch, Vendor Advisory] http://www.ibm.com/support/docview.wss?uid=swg22014957

[Patch, Vendor Advisory] http://www.ibm.com/support/docview.wss?uid=swg22015066

[Patch, Vendor Advisory] http://www.ibm.com/support/docview.wss?uid=swg22015071

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1041012

[VDB Entry, Vendor Advisory] https://exchange.xforce.ibmcloud.com/vulnerabilities/139972

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/104511

Scores

CVSS v3 5.1

EPSS 0.0008

EPSS Percentile 23.6%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-916

Status published

Affected Products (3)

ibm/spectrum_protect_for_space_management < 7.1.8.1

ibm/spectrum_protect_for_virtual_environments < 7.1.8.0

ibm/spectrum_protect_snapshot < 4.1.6.3

Timeline

Published Apr 04, 2018

Tracked Since Feb 18, 2026