CVE-2022-22396 – IBM Spectrum Protect Plus versions 10.1.0.0 thr... (How to Fix)

Q: What is the severity of CVE-2022-22396?

CVE-2022-22396 has a CVSS score of 7.5 (HIGH). IBM Spectrum Protect Plus versions 10.1.0.0 through 10.1.9.3 write credentials in clear text to virgo log files during certain operations. This exposes remote vSnap, offload targets, or VADP credentials to anyone with log file access. Organizations using affected versions for backup operations are vulnerable.

📋 TL;DR

IBM Spectrum Protect Plus versions 10.1.0.0 through 10.1.9.3 write credentials in clear text to virgo log files during certain operations. This exposes remote vSnap, offload targets, or VADP credentials to anyone with log file access. Organizations using affected versions for backup operations are vulnerable.

💻 Affected Systems

Products:

IBM Spectrum Protect Plus

Versions: 10.1.0.0 through 10.1.9.3

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects credentials not using API keys or certificates. Remote vSnap, offload targets, and VADP credentials are vulnerable.

📦 What is this software?

Spectrum Protect Plus by Ibm

View all CVEs affecting Spectrum Protect Plus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative access to backup infrastructure, potentially compromising all backed-up data and using credentials to pivot to other systems.

🟠

Likely Case

Insiders or attackers with log access steal credentials to access backup targets, potentially exfiltrating or corrupting backup data.

🟢

If Mitigated

Limited credential exposure if logs are properly secured and monitored, but risk remains until patching.

🌐 Internet-Facing: MEDIUM - If log files are accessible via web interfaces or misconfigured permissions, credentials could be exposed externally.

🏢 Internal Only: HIGH - Log files are typically accessible to administrators and potentially other users, making credential theft likely in internal networks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to log files, which typically needs some level of system access. No authentication bypass needed once logs are accessed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.1.10 and later

Vendor Advisory: https://www.ibm.com/support/pages/node/6591505

Restart Required: Yes

Instructions:

1. Download IBM Spectrum Protect Plus 10.1.10 or later from IBM Fix Central. 2. Backup current configuration. 3. Apply the update following IBM's installation guide. 4. Restart all Spectrum Protect Plus services.

🔧 Temporary Workarounds

Restrict log file access

linux

Set strict file permissions on virgo log files to prevent unauthorized access.

chmod 600 /path/to/virgo/logs/*.log
chown root:root /path/to/virgo/logs/*.log

Monitor log files for credential exposure

all

Implement real-time monitoring of log files for credential patterns.

grep -i 'password\|credential\|key' /path/to/virgo/logs/*.log

🧯 If You Can't Patch

Rotate all potentially exposed credentials immediately, especially for vSnap, offload targets, and VADP.
Implement strict access controls and monitoring on all log file directories and consider moving logs to secured storage.

🔍 How to Verify

Check if Vulnerable:

Check version via Spectrum Protect Plus admin console or run 'java -jar /opt/IBM/SPP/version.jar' and verify if between 10.1.0.0 and 10.1.9.3.

Check Version:

java -jar /opt/IBM/SPP/version.jar

Verify Fix Applied:

After patching, verify version is 10.1.10 or later and test that credentials no longer appear in virgo logs during operations.

📡 Detection & Monitoring

Log Indicators:

Clear text passwords or credentials in virgo log files
Patterns like 'password=', 'credential=', or specific credential strings in logs

Network Indicators:

Unauthorized access attempts to log file directories or backup targets using potentially stolen credentials

SIEM Query:

source="*virgo*.log" AND ("password" OR "credential" OR "key") NOT "API key" NOT "certificate"

📊 Metadata

CVE ID: CVE-2022-22396

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-522

Published: June 6, 2022

Last Updated: November 21, 2024

🔗 References

https://exchange.xforce.ibmcloud.com/vulnerabilities/222231 VDB Entry,Vendor Advisory
https://www.ibm.com/support/pages/node/6591505 Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/222231 VDB Entry,Vendor Advisory
https://www.ibm.com/support/pages/node/6591505 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-22396, you might also want to check these: