CVE-2016-6033 IBM CVE debrief

Who should care

IBM administrators and security teams running Tivoli Storage Manager for Virtual Environments / Data Protection for VMware or Tivoli Storage FlashCopy Manager for VMware, especially installations exposed through web-based administrative workflows. Any environment where privileged operators use the affected console should treat this as relevant.

Technical summary

NVD describes the issue as CSRF (CWE-352) with CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The affected CPEs in the NVD record include multiple IBM Tivoli Storage Manager for Virtual Environments Data Protection for VMware versions (7.1.0 through 7.1.6.3) and Tivoli Storage FlashCopy Manager for VMware versions (4.1.0.0 through 4.1.6.0). The vendor reference in NVD points to IBM reference 1995545.

Defensive priority

High. The flaw requires user interaction, but it can trigger unauthorized actions through a trusted website context and the NVD impact rating is high across confidentiality, integrity, and availability.

Recommended defensive actions

• Review IBM PSIRT guidance for reference 1995545 and apply the vendor-recommended fix or update path.
• Identify whether any listed IBM VMware backup/storage management versions are deployed in your environment.
• Restrict access to administrative web interfaces and enforce strong session protections where available.
• Verify that users who administer the product are protected against phishing and malicious cross-site requests.
• Monitor for unexpected administrative actions or configuration changes in the affected console.

Evidence notes

Source data identifies CVE-2016-6033 as a CSRF issue in IBM Tivoli Storage Manager for Virtual Environments 7.1 (VMware). NVD lists the weakness as CWE-352 and provides CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The NVD reference list includes IBM support docview reference 1995545 and a SecurityFocus entry (BID 95102). The supplied enrichment marks this as not in CISA KEV.

Official resources