The following are News Flashes and Problem Solving Hints provided by the The IBM Spectrum Protect Team.

NOTE: IBM does not endorse or support this site in any way. Lascon Storage is totally independent, and the links below are provided in good faith.


IBM Spectrum Protect News and Technical Flashes

Some of these links require an IBM login.

July 2019

The IBM Spectrum Protect (formerly Tivoli Storage Manager) Server and Storage Agents are vulnerable to a stack-based buffer overflow and elevation of privileges

Potential spoofing and denial of service vulnerabilities in IBM WebSphere Application Server Liberty affect IBM Spectrum Protect (formerly Tivoli Storage Manager) Backup-Archive Client web user interface

ACL entries associated with a file or directory on a VxFS HP-UX filesystem may not be backed up by the IBM Spectrum Protect (formerly Tivoli Storage Manager) Backup-Archive Client.

The IBM Spectrum Protect (formerly Tivoli Storage Manager) Backup-Archive Client is vulnerable to a buffer overflow that could allow execution of arbitrary code on the local system or the application to crash.

An OpenSSL vulnerability was disclosed on February 26, 2019 by the OpenSSL Project. OpenSSL, used by the IBM Spectrum Protect (formerly Tivoli Storage Manager) Backup-Archive Client for network connections with NetApp services

Multiple vulnerabilities in IBM Runtime Environment Java were disclosed as part of the IBM Java SDK updates in January 2019. IBM Runtime Environment Java is used by the IBM Spectrum Protect (formerly Tivoli Storage Manager) Backup-Archive Client

June 2019

APARs IT28096 and IT29362 may affect directory-container and cloud-container storage pools which can result in damaged deduplicated extents (chunks)

The IBM Spectrum Protect backup-archive client and the IBM Spectrum Protect for Space Management client can incorrectly store atime, mtime, or ctime time stamps of files on the IBM Spectrum Protect server if the time stamp is earlier than January 1970.

TIBM WebSphere Application Server Liberty is vulnerable to cross-site scripting and escalation of privileges which can affect IBM Spectrum Protect.

There are multiple vulnerabilities in IBM Runtime Environment Java which is used by the IBM Spectrum Protect.

The IBM Spectrum Protect (formerly Tivoli Storage Manager) Server is affected by multiple IBM Db2 vulnerabilities such as buffer overflow and loading binaries from an untrusted path. These Db2 vulnerabilities could allow execution of arbitrary code.

The IBM Spectrum Protect (formerly Tivoli Storage Manager) Server may disclose the database restore password when using the dsmserv restore db command. This could allow another user to perform a database restore...

There is a potential spoofing vulnerability in WebSphere Application Server Liberty affects IBM Spectrum Protect Operations Center

A stack trace may be displayed in error messages generated by IBM Spectrum Protect

There are multiple vulnerabilities in IBM Runtime Environment Java which is used by IBM Spectrum Protect (formerly Tivoli Storage Manager) Operations Center and IBM Spectrum Protect (formerly Tivoli Storage Manager) Client Management Service

The IBM Spectrum Protect (formerly Tivoli Storage Manager) Server is affected by an IBM Db2 vulnerability that could allow a local user to overwrite arbitrary files owned by the Db2 instance owner.

The IBM Spectrum Protect (formerly Tivoli Storage Manager) Server is affected by an IBM Db2 vulnerability that could allow local users to overwrite files owned by the Db2 instance owner, execution of arbitrary code on the system ...

The IBM Spectrum Protect (formerly Tivoli Storage Manager) Server is affected by an IBM Db2 vulnerability These Db2 vulnerabilities could allow a local user to gain elevated privileges, read any file on the system, or execute arbitrary code ...

There are multiple vulnerabilities in IBM Runtime Environment Java T used by the IBM Spectrum Protect (formerly Tivoli Storage Manager) Server. These issues were disclosed as part of the IBM Java SDK updates in October 2018

May 2019

No news flashes for May

April 2019

When tracing is enabled, the IBM Spectrum Protect Backup-Archive Client trace file may display the password in plain text. This affects the IBM Spectrum Protect (formerly Tivoli Storage Manager) Backup-Archive Client

IBM Spectrum Protect (formerly Tivoli Storage Manager) Backup-Archive Client and IBM Spectrum Protect for Virtual Environments on Windows are affected by a password exposure vulnerability caused by insecure file permissions.

The IBM Spectrum Protect (formerly Tivoli Storage Manager) Client Web interface is vulnerable to a clickjacking attack that could allow a remote attacker to hijack the clicking action of the victim.

Multiple vulnerabilities in IBM Runtime Environment Java were disclosed as part of the IBM Java SDK updates in October 2018. IBM Runtime Environment Java is used by the IBM Spectrum Protect (formerly Tivoli Storage Manager) Backup-Archive Client

OpenSSL vulnerabilities were disclosed on April 16, 2018, June 16, 2018. and October 30, 2018 by the OpenSSL Project. OpenSSL, used by the IBM Spectrum Protect (formerly Tivoli Storage Manager) Backup-Archive Client for network connections

OpenSSL vulnerabilities were disclosed on April 16, 2018 and June 16, 2018 by the OpenSSL Project. OpenSSL, used by the IBM Spectrum Protect (formerly Tivoli Storage Manager) Backup-Archive Client and IBM Spectrum Protect for Virtual Environments

Potential overwrite of newly ingested chunks in a directory container storage pool. Under certain circumstances, the IBM Spectrum Protect Server might overwrite newly ingested chunks in a container.

March 2019

Files and directories restored using the IBM Spectrum Protect (formerly Tivoli Storage Manager) Backup-Archive Client web user interface on Windows may have incorrect permissions.

February 2019

The IBM Spectrum Protect Server is affected by multiple IBM Db2 vulnerabilities that could allow local users to overwrite files owned by the Db2 instance owner, execution of arbitrary code on the system, or an elevation of privileges.

There are multiple vulnerabilities in IBM Runtime Environment Java used by the IBM Spectrum Protect Server. These issues were disclosed as part of the IBM Java SDK updates in October 2018.

The IBM Spectrum Protect Server is affected by multiple IBM Db2 vulnerabilities. These Db2 vulnerabilities could allow a local user to gain elevated privileges, read any file on the system, or execute arbitrary code on the system.

IBM Spectrum Protect (formerlyTivoli Storage Manager) Unix Clients may use a symbolic link to provide non-privileged users access to files that require root privileges.

There are multiple vulnerabilities in the IBM GSKit component of IBM Spectrum Protect (formerly Tivoli Storage Manager) Client. The IBM Spectrum Protect Client has addressed the applicable CVEs.

The IBM Spectrum Protect (formerly Tivoli Storage Manager) Client, IBM Spectrum Protect: Data Protection for VMware, and IBM Spectrum Protect for Space Management could allow a local user to corrupt or delete sensitive information.

The IBM Spectrum Protect (formerly Tivoli Storage Manager) Client and IBM Spectrum Protect for Virtual Environments (formerly Tivoli Storage Manager for Virtual Environments), allow legacy SSL/TLS protocols and ciphers to be used.

IBM Spectrum Protect (formerly Tivoli Storage Manager) and IBM Spectrum Protect for Virtual Environments allow Triple DES (3DES) ciphers to be used. This can result in the use of weaker than expected cryptographic algorithms.

IBM Spectrum Protect (formerly Tivoli Storage Manager) is vulnerable to an offline dictionary attack due to information disclosed during authentication. An attacker can gain full access to the IBM Spectrum Protect system

IBM Spectrum Protect (formerly Tivoli Storage Manager) Client and IBM Spectrum Protect for Virtual Environments is vulnerable to a denial of service caused by incorrect accumulation of TCP/IP sockets in a CLOSE_WAIT state.

Under certain conditions, it is possible directory-container file pointers might be inadvertently removed from the IBM Spectrum Protect Server database.

Security Bulletin: Multiple DB2 vulnerabilities affect IBM Spectrum Protect (formerly Tivoli Storage Manger) Server (CVE-2017-1105, CVE-2017-1297)

Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect (formerly Tivoli Storage Manager) Operations Center and Client Management Services (CVE-2017-10115, CVE-2017-10116)

Problem-Solving Resources Online

These pages contain details about various key IBM Spectrum Protect documents, fix packs, versions, announcements and end of support data


IBM SP , IBM SP EE, and SSAM (includes server and client)
IBM SPfor Databases (includes Data Protection for Oracle and Data Product for SQL)
IBM SP for Enterprise Resource Planning (ERP)
IBM SP for Mail (includes Data Protection for Domino and Data Protection for Exchange)
IBM SP for Virtual Environments (includes Data Protection for VMware and Data Protection for Microsoft Hyper-V)
IBM Spectrum Protect Snapshot (Storage FlashCopy Manager)
IBM Spectrum Protect Snapshot (Storage FlashCopy Manager) - All Requirements Document

back to top


Spectrum Protect pages

Lascon latest major updates

Welcome to Lascon Storage. This site provides hints and tips on how to manage your data, strategic advice and news items.