IBM Support

Security Bulletin: Multiple vulnerabilities in GPFS affects IBM® DB2® LUW on AIX and Linux (CVE-2015-0197, CVE-2015-0198, CVE-2015-0199)

Security Bulletin


Summary

There are multiple vulnerabilities in IBM® General Parallel File System, Versions V3.4 and V3.5 that are used by DB2® pureScale™ Feature on AIX and Linux.

Vulnerability Details

CVEID: CVE-2015-0197
DESCRIPTION:
IBM General Parallel File System could allow a local attacker which only has a non-privileged account to execute programs with root privileges.
CVSS Base Score: 6.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101224 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)

CVEID:
CVE-2015-0198
DESCRIPTION:
IBM General Parallel File System may not properly authenticate network requests and could allow an attacker to execute programs remotely with root privileges.
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101225 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2015-0199
DESCRIPTION:
IBM General Parallel File System allows attackers to cause kernel memory corruption by issuing specific ioctl calls to a character device provided by the mmfslinux kernel module and cause a denial of service.
CVSS Base Score: 6.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101226 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:N/I:N/A:C)

Affected Products and Versions

Customers who have DB2® pureScale™ Feature installed in their DB2 database system are affected.

For CVE-2015-0198, you are not affected if either of the following are true:

  • the cipherList configuration variable is set to AUTHONLY or to a cipher
or
  • only trusted nodes/processes/users can initiate connections to GPFS nodes

All fix pack levels of IBM DB2 V10.1 and V10.5 editions listed below and running on AIX and Linux are affected.

IBM DB2 Express Edition
IBM DB2 Workgroup Server Edition
IBM DB2 Enterprise Server Edition
IBM DB2 Advanced Enterprise Server Edition
IBM DB2 Advanced Workgroup Server Edition
IBM DB2 Connect™ Application Server Edition
IBM DB2 Connect™ Enterprise Edition
IBM DB2 Connect™ Unlimited Edition for System i®
IBM DB2 Connect™ Unlimited Edition for System z®

IBM DB2 pureScale™ Feature for Enterprise Server Edition, V9.8, running on AIX or Linux is affected.

Remediation/Fixes


The recommended solution is to apply the appropriate fix for this vulnerability.

FIX:
The fix for DB2 and DB2 Connect V10.1 is in V10.1 FP5 and V10.5 is in V10.5 FP6, available for download from Fix Central.

Customers running any vulnerable fixpack level of an affected Program, V9.8 can contact support to obtain a special build containing an interim fix for this issue. These special builds are available based on the most recent fixpack level for each impacted release: DB2 V9.8 FP5. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability. Additionally fixes based on DB2 V10.5 FP5 will be made available on request.

Refer to the folowing chart to determine how to proceed to obtain a needed fixpack or special build.

ReleaseFixed in fix packAPARDownload URL
V9.8 TBDIT08108 Please contact technical support.
V10.1 FP5IT08112 http://www-01.ibm.com/support/docview.wss?uid=swg24040170
V10.5FP6IT08113http://www-01.ibm.com/support/docview.wss?uid=swg24040522

For CVE-2015-0198, after applying the appropriate fix pack or special build, set cipherList to AUTHONLY.

To enable AUTHONLY without shutting down the daemon on all nodes:
  • Install the fix pack or special build containing the fix on all nodes in the cluster one node at a time
  • Generate SSL keys by running the mmauth genkey new command.
  • Enable AUTHONLY by running the mmauth update . -l AUTHONLY command. If the mmauth update command fails, examine the messages, correct the problems (or shut down the daemon on the problem node) and repeat the mmauth update command above.

Note: Applying the fix pack or special build on all nodes in the cluster will allow you to switch cipherList dynamically without shutting down the GPFS daemons across the cluster.

Contact Technical Support:

In the United States and Canada dial 1-800-IBM-SERV
View the support contacts for other countries outside of the United States.
Electronically open a Service Request with DB2 Technical Support.

Note: IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.

Workarounds and Mitigations

For CVE-2015-0197 and CVE-2015-0199, there are no workarounds or mitigations.

For CVE-2015-0198, set cipherList to AUTHONLY, or to a real cipher. Follow the instructions above if the fix pack or special build was installed on all the nodes in the cluster. Otherwise:

  • Generate SSL keys by running the mmauth genkey new command
  • Shut down the GPFS daemon on all nodes on the cluster
  • Enable AUTHONLY by running mmauth update . -l AUTHONLY

Get Notified about Future Security Bulletins

References

Off

Acknowledgement

The vulnerabilities were reported to IBM by Florian Grunow and Felix Wilhelm of ERNW

Change History

July 10, 2015: Original Version Published
Aug 13, 2015: Updated with V10.5 FP6 fix info

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{"Product":{"code":"SSEPGG","label":"DB2 for Linux- UNIX and Windows"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security \/ Plug-Ins - Security Vulnerability","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"}],"Version":"9.8;10.1;10.5","Edition":"Advanced Enterprise Server;Advanced Workgroup Server;Enterprise Server;Express;Express-C;Personal;Workgroup Server"}]

Document Information

Modified date:
16 June 2018

UID

swg21902662