Security Bulletin: IBM Spectrum Protect Plus vulnerability discloses sensitive information due to unencrypted data in transit (CVE-2020-4497)

IBM Spectrum Protect Plus does not encrypt data transfer between vSnap servers and application agents. This could allow an attacker to view senstive information in transit.

## Vulnerability Details

**CVEID:**CVE-2020-4497
**DESCRIPTION:** IBM Spectrum Protect Plus discloses sensitive information due to unencryhpted data being used in the communication flow between Spectrum Protect Plus vSnap and its agents. An attacker could obtain information using main in the middle techniques.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/182106 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)

## Affected Products and Versions

**Affected Product(s)** | **Version(s)**
—|—
IBM Spectrum Protect Plus | 10.1.0-10.1.12

## Remediation/Fixes

IBM Spectrum Protect Plus 10.1.13 introduces Transport Encryption feature. With transport encryption, you can protect the data transport between application host and vSnap during backup and restore. Transport encryption feature ensures security to each data path of data between the application host and the vSnap by encrypting and decrypting the data. For more information about Transport Encryption, see https://www.ibm.com/docs/en/SSNQFQ_10.1.13/spp/r_spp_vSnap_transportencryption.html **IBM Spectrum Protect
Plus ****Affected Versions** | **Fixing**
**Level** | **Platform** | **Link to Fix and Instructions**
—|—|—|—
10.1.0-10.1.12 | 10.1.13 | Linux | **https://www.ibm.com/support/pages/node/6827871**

## Workarounds and Mitigations

None

##