Vulnerabilities > CVE-2018-1447 - Use of Password Hash With Insufficient Computational Effort vulnerability in IBM products

CVSS 5.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

NONE

network

low complexity

ibm

CWE-916

NVD

Published: 2018-04-04

Updated: 2019-10-03

Summary

The GSKit (IBM Spectrum Protect 7.1 and 7.2) and (IBM Spectrum Protect Snapshot 4.1.3, 4.1.4, and 4.1.6) CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. IBM X-Force ID: 139972.

Vulnerable Configurations

Part	Description	Count
Application	Ibm IBM Spectrum Protect FOR Space Management * IBM Spectrum Protect FOR Virtual Environments 7.1.0.0 IBM Spectrum Protect FOR Virtual Environments 7.1.1 IBM Spectrum Protect FOR Virtual Environments 7.1.2 IBM Spectrum Protect FOR Virtual Environments 7.1.3 IBM Spectrum Protect FOR Virtual Environments 7.1.4 IBM Spectrum Protect FOR Virtual Environments 7.1.6 IBM Spectrum Protect FOR Virtual Environments 7.1.8 IBM Spectrum Protect FOR Virtual Environments 8.1.0.0 IBM Spectrum Protect FOR Virtual Environments 8.1.2 IBM Spectrum Protect FOR Virtual Environments 8.1.4 IBM Spectrum Protect Snapshot *	12

Common Weakness Enumeration (CWE)

CWE-916 - Use of Password Hash With Insufficient Computational Effort

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References