CVE-2016-0371 IBM CVE debrief

Who should care

IBM Tivoli Storage Manager administrators, backup/storage operators, and security teams responsible for log handling, trace collection, and credential hygiene should pay attention. Any environment that enables application tracing on affected TSM releases should treat trace files as sensitive until the issue is remediated.

Technical summary

NVD describes the issue as a password being displayed in plain text via application trace output while application tracing is enabled. The affected IBM Tivoli Storage Manager ranges listed by NVD are 7.1.0.0 through 7.1.6.2, 6.4.0.0 through 6.4.3.3, and 5.5 through 6.3.2.5. The CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) indicates a locally accessible disclosure condition with high confidentiality impact and no integrity or availability impact.

Defensive priority

Medium. The issue requires local access and tracing to be enabled, but it can expose credentials in clear text, which may enable follow-on unauthorized access if trace data is obtained.

Recommended defensive actions

• Apply the IBM remediation referenced in the vendor advisory for affected TSM releases.
• Disable application tracing when it is not required, and treat any trace output as sensitive data.
• Restrict access to trace files, diagnostic bundles, and log collection locations.
• Review existing trace output for accidental credential exposure and remove or secure any affected artifacts.
• Rotate any TSM passwords that may have been exposed in trace output.
• Update operational guidance so troubleshooting workflows avoid collecting unnecessary sensitive data.

Evidence notes

Source data identifies the issue as plain-text password exposure in application trace output when tracing is enabled. NVD lists affected IBM Tivoli Storage Manager version ranges as 7.1.0.0-7.1.6.2, 6.4.0.0-6.4.3.3, and 5.5-6.3.2.5. The CVSS 3.1 vector is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, and NVD assigns CWE NVD-CWE-noinfo.

Official resources