PT-2022-25299 · Ibm · Ibm Spectrum Protect Plus

Published

2022-09-19

Updated

2022-09-21

CVE-2022-40234

CVSS v3.1

5.9

Medium

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions IBM Spectrum Protect Plus versions prior to 10.1.12

Description The issue allows an attacker to obtain the private key information for a certificate if the generated .crt file is shared. This occurs because the private key information is included inside the generated .crt file when uploading a TLS certificate to IBM Spectrum Protect Plus.

Recommendations For versions prior to 10.1.12, update to version 10.1.12 or later to resolve the issue. As a temporary workaround, consider restricting access to the generated .crt files to minimize the risk of exploitation. Avoid sharing the .crt files to prevent attackers from obtaining the private key information.

Fix

Exposure of Resource to Wrong Sphere

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-668

Related Identifiers

CVE-2022-40234

Affected Products

Ibm Spectrum Protect Plus

PT-2022-25299 · Ibm · Ibm Spectrum Protect Plus

CVE-2022-40234

Weakness Enumeration

Related Identifiers

Affected Products

References · 5