IBM Support

Security Bulletin: The Elastic Storage Server and the GPFS Storage Server are affected by a vulnerability in IBM Spectrum Scale (CVE-2016-2985 and CVE-2016-2984)

Created by Laura Murphy on
Published URL:
https://www.ibm.com/support/pages/node/629775
629775

Security Bulletin


Summary

There are vulnerabilities in IBM Spectrum Scale packaged with IBM Spectrum Scale RAID for the Elastic Storage Server and the GPFS Storage Server.

Vulnerability Details


CVEID: CVE-2016-2985
DESCRIPTION:
A security vulnerability has been identified in IBM Spectrum Scale and IBM GPFS that could allow a local attacker to execute commands as root by setting environment variables processed by setuid programs.
CVSS Base Score: 7.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114001 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2016-2984
DESCRIPTION:
A security vulnerability has been identified in IBM Spectrum Scale and IBM GPFS that could allow a local attacker to execute commands as root by supplying command line parameters to setuid programs.
CVSS Base Score: 7.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114000 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

The Elastic Storage Server versions 4.0, 3.5, 3.0 and 2.5

The GPFS Storage Server version 2.0

Remediation/Fixes

For the Elastic Storage Server 4.0.0 thru 4.0.5, upgrade to 4.0.6, available at
http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%2Bdefined%2Bstorage&product=ibm/StorageSoftware/IBM+Spectrum+Scale+RAID&release=4.2.0&platform=All&function=all

For the Elastic Storage Server 3.5.0 thru 3.5.5, upgrade to 3.5.6 available at
http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%2Bdefined%2Bstorage&product=ibm/StorageSoftware/IBM+Spectrum+Scale+RAID&release=4.1.1&platform=All&function=all

For the Elastic Storage Server 3.0.0 thru 3.0.5, upgrade to 3.5.6 available at
http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%2Bdefined%2Bstorage&product=ibm/StorageSoftware/IBM+Spectrum+Scale+RAID&release=4.1.1&platform=All&function=all

For the Elastic Storage Server 2.5.0 thru 2.5.5 and the GPFS Storage Server 2.0.0 thru 2.0.7, contact IBM Service referencing APAR IV88320. See http://www.ibm.com/planetwide/

Workarounds and Mitigations

Until the fixes can be applied, a workaround is to remove the setuid from the files in the /usr/lpp/mmfs/bin directory. Determine the set of files with setuid bit by running

ls -l /usr/lpp/mmfs/bin | grep r-s

Then reset the setuid bit for each such file by issuing this command on each file

chmod u-s file


Once the workaround is applied, a number of commands may no longer work when not invoked by unprivileged users, including:

mmchfileset
mmcrsnapshot
mmdelsnapshot
mmdf
mmedquota
mmgetacl
mmlsdisk
mmlsfileset
mmlsfs
mmlsmgr
mmlspolicy
mmlspool
mmlsquota
mmlssnapshot
mmputacl
mmsnapdir

Get Notified about Future Security Bulletins

References

Change History

23 September 2016: Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SS6JZK","label":"IBM Spectrum Scale RAID"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"--","Platform":[{"code":"PF016","label":"Linux"}],"Version":"2.0","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]

Document Information

Modified date:
08 March 2021

UID

isg3T1024336