Security Bulletin
Summary
A security vulnerability has been identified in the IBM Spectrum Scale (GPFS) Hadoop connector which could allow an unprivileged user the ability to read, write, modify, or delete any data in a GPFS file system (CVE-2015-7430)
Vulnerability Details
CVEID: CVE-2015-7430
DESCRIPTION: IBM General Parallel File System Hadoop connector could allow an unprivileged user the ability to read, write, modify, or delete any data in a GPFS file system.
CVSS Base Score: 8.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107859 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
IBM Spectrum Scale (GPFS) Hadoop connector 1.1.1, 2.4, 2.5, and 2.7.0-0 thru 2.7.0-2
Remediation/Fixes
Users of the IBM Spectrum Scale (GPFS) Hadoop connector should upgrade to 2.7.0-3 available at
Uninstall the old connector and upgrade to 2.7.0-3. To upgrade the connector, see chapter 15 of the Deploying a Big Data Solution using IBM Spectrum Scale technical white paper at https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/General%20Parallel%20File%20System%20%28GPFS%29/page/Big%20Data%20Best%20practices.
After upgrading to 2.7.0.3:
If you have configured one group as gpfs.supergroup (e.g. gpfs.supergroup="hadoop"):
1. Create the directory /var/mmfs/bi on all nodes if the directory is not yet present.
2. Issue the chown <anyone-super-user>:<super-group> /var/mmfs/bi command on all nodes.
If the group hadoop is configured as gpfs.supergroup in connector
chown hdfs:hadoop /var/mmfs/bi
3. Issue the chmod command to limit access to the hadoop super group users
chmod 0660 /var/mmfs/bi
4. Restart the connector by issuing the commands on all nodes:
mmhadoopctl connector stop
mmhadoopctl connector start
If you have configured more than one group as gpfs.supergroup (e.g. gpfs.supergroup="bigsql,hadoop"):
1. Create the directory /var/mmfs/bi on all nodes if the directory is not yet present.
2. Issue the chown <anyone-super-user>:<anyone-super-group> /var/mmfs/bi command on all nodes.
If the group hadoop is configured as gpfs.supergroup in connector:
chown hdfs:hadoop /var/mmfs/bi
3. Issue the chmod command to limit access to the hadoop super group users:
chmod 0660 /var/mmfs/bi
4. Restart the connector by issuing the commands on all nodes:
mmhadoopctl connector stop
mmhadoopctl connector start
5. After you have restarted the connector daemon, for each super_group_i, issue:
setfacl -m g:super_group_i:rw /var/run/ibm_bigpfs_gcd
For the GPFS Hadoop Connector 1.1.1, IBM recommends upgrading both your level of Hadoop and level of IBM Spectrun Scale (GPFS) Hadoop Connector code to current levels. See https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/General%20Parallel%20File%20System%20%28GPFS%29/page/Hadoop%20Connector%20Download%20%26%20Info
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
01 August 2018
UID
ssg1S1005461