Security Bulletin
Summary
A security vulnerability has been identified in IBM Spectrum Scale (GPFS) that could allow a remote authenticated attacker to overflow a buffer and execute arbitrary code on the system with root privileges or cause the server to crash. This vulnerability is only applicable if:
- file encryption is being used
- the key management infrastructure has been compromised
Vulnerability Details
CVEID: CVE-2016-6115
DESCRIPTION: IBM General Parallel File System is vulnerable to a buffer overflow. A remote authenticated attacker could overflow a buffer and execute arbitrary code on the system with root privileges or cause the server to crash.
CVSS Base Score: 6.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118353 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
IBM Spectrum Scale V4.2.0.0 thru V4.2.2.0
IBM Spectrum Scale V4.1.0.0 thru V4.1.1.10
IBM GPFS V4.1.0.0 thru V4.1.0.8
Note: This vulnerability is only applicable if:
- file encryption is being used
- the key management infrastructure has been compromised
Remediation/Fixes
For IBM Spectrum Scale V4.2.0.0 thru V4.2.2.0, apply IBM Spectrum Scale V4.2.2.1 available from Fix Central at
https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Spectrum+Scale&release=4.2.2&platform=All&function=all
For IBM Spectrum Scale V4.1.1.0 thru 4.1.1.10 and IBM GPFS V4.1.0.0 thru V4.1.0.8, apply V4.1.1.11 at http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%2Bdefined%2Bstorage&product=ibm/StorageSoftware/IBM+Spectrum+Scale&release=4.1.1&platform=All&function=all
If you cannot apply the latest level of service, contact IBM Service for an efix:
- For IBM Spectrum Scale V4.2.0.0 thru V4.2.2.0, reference APAR IV91327
- For IBM GPFS V4.1.0 thru V4.1.0.8 and IBM Spectrum Scale V4.1.1.0 thru V4.1.1.10, reference APAR IV91328
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Change History
3 January 2017: Original version published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
01 August 2018
UID
ssg1S1009639