[gpfsug-discuss] GPFS vulnerability with possible root exploit on versions prior to 5.0.4.3 (and 4.2.3.21)
Bhupender thakur
thakur.hpc at gmail.com
Wed Apr 22 19:23:53 BST 2020
Has IBM released or does IBM plan to release a fix in the 5.0.3.x branch?
On Wed, Apr 22, 2020 at 8:45 AM Felipe Knop <knop at us.ibm.com> wrote:
> Stephan,
>
> Security bulletins need to go through an internal process, including legal
> review. In addition, we are normally required to ensure the fix is
> available for all releases before the security bulletin can be published.
> Because of that, we normally don't list details for security fixes in
> either the readmes or APARs, since the information can only be disclosed in
> the bulletin itself.
>
> ----
> The bulletin below has:
>
> If you cannot apply the latest level of service, contact IBM Service for
> an efix:
>
> - For IBM Spectrum Scale V5.0.0.0 through V5.0.4.1, reference APAR IJ23438
>
> - For IBM Spectrum Scale V4.2.0.0 through V4.2.3.20, reference APAR
> IJ23426
> "V5.0.0.0 through V5.0.4.1" should have been "V5.0.0.0 through V5.0.4.2".
> (I have asked the text to be corrected)
>
>
>
> Felipe
>
> ----
> Felipe Knop knop at us.ibm.com
> GPFS Development and Security
> IBM Systems
> IBM Building 008
> 2455 South Rd, Poughkeepsie, NY 12601
> (845) 433-9314 T/L 293-9314
>
>
>
>
> ----- Original message -----
> From: Stephan Graf <st.graf at fz-juelich.de>
> Sent by: gpfsug-discuss-bounces at spectrumscale.org
> To: <gpfsug-discuss at spectrumscale.org>
> Cc:
> Subject: [EXTERNAL] Re: [gpfsug-discuss] GPFS vulnerability with possible
> root exploit on versions prior to 5.0.4.3 (and 4.2.3.21)
> Date: Wed, Apr 22, 2020 5:04 AM
>
> Hi
>
> I took a lookat the "Readme and Release notes for release 5.0.4.3 IBM
> Spectrum Scale 5.0.4.3
> Spectrum_Scale_Data_Management-5.0.4.3-x86_64-Linux Readme"
> But I did not find the entry which mentioned the "For IBM Spectrum Scale
> V5.0.0.0 through V5.0.4.1, reference APAR IJ23438" APAR number which is
> mentioned on the "Security Bulletin: A vulnerability has been identified
> in IBM Spectrum Scale where an unprivileged user could execute commands
> as root ( CVE-2020-4273)" page.
>
> shouldn't it be mentioned there?
>
> Stephan
>
>
> Am 22.04.2020 um 10:19 schrieb Jaime Pinto:
> > In case you missed (the forum has been pretty quiet about this one),
> > CVE-2020-4273 had an update yesterday:
> >
> >
> https://www.ibm.com/support/pages/node/6151701?myns=s033&mynp=OCSTXKQY&mync=E&cm_sp=s033-_-OCSTXKQY-_-E
>
> >
> >
> > If you can't do the upgrade now, at least apply the mitigation to the
> > client nodes generally exposed to unprivileged users:
> >
> > Check the setuid bit:
> > ls -l /usr/lpp/mmfs/bin | grep r-s | awk '{system("ls -l
> > /usr/lpp/mmfs/bin/"$9)}')
> >
> > Apply the mitigation:
> > ls -l /usr/lpp/mmfs/bin | grep r-s | awk '{system("chmod u-s
> > /usr/lpp/mmfs/bin/"$9)}'
> >
> > Verification:
> > ls -l /usr/lpp/mmfs/bin | grep r-s | awk '{system("ls -l
> > /usr/lpp/mmfs/bin/"$9)}')
> >
> > All the best
> > Jaime
> >
> > .
> > .
> > . ************************************
> > TELL US ABOUT YOUR SUCCESS STORIES
> > http://www.scinethpc.ca/testimonials
> > ************************************
> > ---
> > Jaime Pinto - Storage Analyst
> > SciNet HPC Consortium - Compute/Calcul Canada
> > www.scinet.utoronto.ca - www.computecanada.ca
> > University of Toronto
> > 661 University Ave. (MaRS), Suite 1140
> > Toronto, ON, M5G1M1
> > P: 416-978-2755
> > C: 416-505-1477
> > _______________________________________________
> > gpfsug-discuss mailing list
> > gpfsug-discuss at spectrumscale.org
> > http://gpfsug.org/mailman/listinfo/gpfsug-discuss
>
>
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at spectrumscale.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
>
>
>
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at spectrumscale.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20200422/acf41e68/attachment-0002.htm>
More information about the gpfsug-discuss
mailing list