IBM Support

Security Bulletin: IBM Spectrum Scale (GPFS) Hadoop connector is affected by a security vulnerability (CVE-2015-7430)

Security Bulletin


Summary

A security vulnerability has been identified in the IBM Spectrum Scale (GPFS) Hadoop connector which could allow an unprivileged user the ability to read, write, modify, or delete any data in a GPFS file system (CVE-2015-7430)

Vulnerability Details


CVEID: CVE-2015-7430
DESCRIPTION: IBM General Parallel File System Hadoop connector could allow an unprivileged user the ability to read, write, modify, or delete any data in a GPFS file system.
CVSS Base Score: 8.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107859 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM Spectrum Scale (GPFS) Hadoop connector 1.1.1, 2.4, 2.5, and 2.7.0-0 thru 2.7.0-2

Remediation/Fixes

Users of the IBM Spectrum Scale (GPFS) Hadoop connector should upgrade to 2.7.0-3 available at

https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/General%20Parallel%20File%20System%20%28GPFS%29/page/Hadoop%20Connector%20Download%20%26%20Info

 


Uninstall the old connector and upgrade to 2.7.0-3. To upgrade the connector, see chapter 15 of the Deploying a Big Data Solution using IBM Spectrum Scale technical white paper at https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/General%20Parallel%20File%20System%20%28GPFS%29/page/Big%20Data%20Best%20practices.

After upgrading to 2.7.0.3:

If you have configured one group as gpfs.supergroup (e.g. gpfs.supergroup="hadoop"):

1. Create the directory /var/mmfs/bi on all nodes if the directory is not yet present.

2. Issue the chown <anyone-super-user>:<super-group> /var/mmfs/bi command on all nodes.
If the group hadoop is configured as gpfs.supergroup in connector

chown hdfs:hadoop /var/mmfs/bi

3. Issue the chmod command to limit access to the hadoop super group users

chmod 0660 /var/mmfs/bi

4. Restart the connector by issuing the commands on all nodes:

mmhadoopctl connector stop
mmhadoopctl connector start



If you have configured more than one group as gpfs.supergroup (e.g. gpfs.supergroup="bigsql,hadoop"):

1. Create the directory /var/mmfs/bi on all nodes if the directory is not yet present.

2. Issue the chown <anyone-super-user>:<anyone-super-group> /var/mmfs/bi command on all nodes.
If the group hadoop is configured as gpfs.supergroup in connector:

chown hdfs:hadoop /var/mmfs/bi

3. Issue the chmod command to limit access to the hadoop super group users:

chmod 0660 /var/mmfs/bi

4. Restart the connector by issuing the commands on all nodes:

mmhadoopctl connector stop
mmhadoopctl connector start

5. After you have restarted the connector daemon, for each super_group_i, issue:

setfacl -m g:super_group_i:rw /var/run/ibm_bigpfs_gcd

For the GPFS Hadoop Connector 1.1.1, IBM recommends upgrading both your level of Hadoop and level of IBM Spectrun Scale (GPFS) Hadoop Connector code to current levels. See https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/General%20Parallel%20File%20System%20%28GPFS%29/page/Hadoop%20Connector%20Download%20%26%20Info

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Off

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"STXKQY","label":"IBM Spectrum Scale"},"Component":"--","Platform":[{"code":"PF016","label":"Linux"}],"Version":"4.1.1;4.2.0","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]

Document Information

Modified date:
01 August 2018

UID

ssg1S1005461