<div class="socmaildefaultfont" dir="ltr" style="font-family:Arial;font-size:10.5pt" ><div dir="ltr" >Note that that page gives a rather long-winded and incomplete workaround:</div>
<div dir="ltr" > </div>
<div dir="ltr" ><h2><span style="color:#008000;" >Workarounds and Mitigations</span></h2>
<div class="ibm-domino-rtf" ><p class="wordwrap" ><span style="color:#008000;" >Until the fixes can be applied, a workaround is to remove the setuid from the files in the <b>/usr/lpp/mmfs/bin</b> directory. Determine the set of files with setuid bit by running<br><b>ls -l /usr/lpp/mmfs/bin | grep r-s</b><br>Then reset the setuid bit for each such file by issuing this command on each file<br><b>chmod u-s </b><i>file</i></span></p></div>
<div> </div>
<div>instead of the more obvious :</div>
<div><div><strong> find /usr/lpp/mmfs/bin -perm -4000</strong></div>
<div>which can be piped into an xargs -l chmod u-s if desired.</div></div></div>
<div dir="ltr" > </div>
<div dir="ltr" > </div>
<div dir="ltr" >By the way the files affected are all binaries so not as obvious a security risk as allowing a backdoor to an interactive ksh shell as root.</div>
<div class="socmaildefaultfont" dir="ltr" style="font-family:Arial;font-size:10.5pt" ><div class="socmaildefaultfont" dir="ltr" style="font-family: Arial; font-size: 10.5pt;" ><div class="socmaildefaultfont" dir="ltr" style="font-family: Arial; font-size: 10.5pt;" ><div class="socmaildefaultfont" dir="ltr" style="font-family: Arial; font-size: 10.5pt;" ><div class="socmaildefaultfont" dir="ltr" style="font-family: Arial; font-size: 10.5pt;" ><div class="socmaildefaultfont" dir="ltr" style="font-family: Arial; font-size: 10.5pt;" ><div class="socmaildefaultfont" dir="ltr" style="font-family: Arial; font-size: 10.5pt;" ><div dir="ltr" style="margin-top: 20px;" ><div style="font-family: sans-serif; font-size: 8pt; margin-top: 10px;" ><div style="margin-bottom:0cm;margin-bottom:.0001pt;line-height:normal;" ><span style="font-family:Verdana, Geneva, sans-serif" ><span style="font-size:11.5pt;" >Daniel</span></span></div>
<div style="margin-bottom:0cm;margin-bottom:.0001pt;line-height:normal;" ><img alt="/spectrum_storage-banne" src="" src="http://ausgsa.ibm.com/projects/t/tivoli_visual_design/public/2015/Spectrum-Storage/Email-signatures/Storage/spectrum_storage-banner.png" style="width: 601px; height: 5px;" ></div>
<div style="margin-bottom:0cm;margin-bottom:.0001pt;line-height:normal;" ><br> </div>
<table cellpadding="0" cellspacing="0" border="0" > <tbody> <tr> <td style="width:201px;padding:0cm 0cm 0cm 0cm;" > <div style="margin-bottom:0cm;margin-bottom:.0001pt;line-height:normal;" ><img alt="Spectrum Scale Logo" src="" src="http://ausgsa.ibm.com/projects/t/tivoli_visual_design/public/2015/Spectrum-Storage/Email-signatures/Storage/spectrum_scale-logo.png" style="width: 75px; height: 120px; float: left;" ></div>
<div style="margin-bottom:0cm;margin-bottom:.0001pt;line-height:normal;" > </div> </td> <td style="width:21px;padding:0cm 0cm 0cm 0cm;" > </td> <td style="width:202px;padding:0cm 0cm 0cm 0cm;" > <div style="margin-bottom:0cm;margin-bottom:.0001pt;line-height:normal;" ><strong><span style="font-family:Arial, Helvetica, sans-serif" ><span style="font-size:10.0pt;" >Dr Daniel Kidger</span></span></strong><br> <span style="font-family:Arial, Helvetica, sans-serif" ><span style="font-size:7.5pt;" >IBM Technical Sales Specialist<br> Software Defined Solution Sales<br> <br> +</span></span><span style="color:#5F5F5F;" ><span style="font-family:Verdana, Geneva, sans-serif" ><span style="font-size:10.0pt;" >44-07818 522 266 </span></span></span><br> <span style="color:#5F5F5F;" ><span style="font-family:Arial, Helvetica, sans-serif" ><span style="font-size:8.0pt;" >daniel.kidger@uk.ibm.com</span></span></span></div> </td> </tr> </tbody></table>
<div> </div>
<div><br><font size="2" face="Default Sans Serif,Verdana,Arial,Helvetica,sans-serif" > </font></div></div></div></div></div></div></div></div></div></div>
<div dir="ltr" > </div>
<div dir="ltr" > </div>
<blockquote data-history-content-modified="1" dir="ltr" style="border-left:solid #aaaaaa 2px; margin-left:5px; padding-left:5px; direction:ltr; margin-right:0px" >----- Original message -----<br>From: "Oesterlin, Robert" <Robert.Oesterlin@nuance.com><br>Sent by: gpfsug-discuss-bounces@spectrumscale.org<br>To: gpfsug main discussion list <gpfsug-discuss@spectrumscale.org><br>Cc:<br>Subject: [gpfsug-discuss] GPFS/Spectrum Scale security vulernability - All versions<br>Date: Tue, May 31, 2016 12:57 PM<br> <br><!--Notes ACF
<meta http-equiv="Content-Type" content="text/html; charset=utf8" >-->
<div><p><span style="font-size:11.0pt;font-family:Helvetica" >IBM published a security vulnerability today that effects all current and prior levels of GPFS/Spectrum Scale. The short explanation is "IBM Spectrum Scale and IBM GPFS that could allow a local attacker to inject commands into setuid file parameters and execute commands as root." This is a "high" vulnerability (8.4).<o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:Helvetica" ><o:p> </o:p></span></p>
<p><span style="font-size:11.0pt;font-family:Helvetica" >Details here: <a href="http://www-01.ibm.com/support/docview.wss?uid=ssg1S1005781" target="_blank" >http://www-01.ibm.com/support/docview.wss?uid=ssg1S1005781</a><o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:Helvetica" ><o:p> </o:p></span></p>
<p><span style="font-size:10.5pt;color:black" ><o:p> </o:p></span></p>
<div><p><span style="font-size:10.5pt;font-family:Helvetica;color:black" >Bob Oesterlin<br>Sr Storage Engineer, Nuance HPC Grid<br><br><o:p></o:p></span></p></div>
<p><o:p> </o:p></p></div>
<div><font size="2" face="Default Monospace,Courier New,Courier,monospace" >_______________________________________________<br>gpfsug-discuss mailing list<br>gpfsug-discuss at spectrumscale.org<br><a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss" target="_blank" >http://gpfsug.org/mailman/listinfo/gpfsug-discuss</a></font></div></blockquote>
<div dir="ltr" > </div></div>Unless stated otherwise above:<BR>
IBM United Kingdom Limited - Registered in England and Wales with number 741598. <BR>
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU<BR>
<BR>