Description
The GSKit (IBM Spectrum Protect 7.1 and 7.2) and (IBM Spectrum Protect Snapshot 4.1.3, 4.1.4, and 4.1.6) CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. IBM X-Force ID: 139972.
References (7)
Core 7
Core References
Patch, Vendor Advisory x_refsource_confirm
http://www.ibm.com/support/docview.wss?uid=swg22015066
Patch, Vendor Advisory x_refsource_confirm
http://www.ibm.com/support/docview.wss?uid=swg22014957
VDB Entry, Vendor Advisory x_refsource_misc
https://exchange.xforce.ibmcloud.com/vulnerabilities/139972
Patch, Vendor Advisory x_refsource_confirm
http://www.ibm.com/support/docview.wss?uid=swg22015071
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/104511
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1041012
Patch, Vendor Advisory x_refsource_confirm
http://www.ibm.com/support/docview.wss?uid=swg22014669
Scores
CVSS v3
5.1
EPSS
0.0093
EPSS Percentile
55.8%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-916
Status
published
Products (3)
ibm/spectrum_protect_for_space_management
7.1.0.0 - 7.1.8.1
ibm/spectrum_protect_for_virtual_environments
7.1.0.0 - 7.1.8.0
ibm/spectrum_protect_snapshot
4.1.0.0 - 4.1.6.3
Published
Apr 04, 2018
Tracked Since
Feb 18, 2026