[gpfsug-discuss] kernel 3.10.0-1160.36.2.el7.x86_64 (CVE-2021-33909) not compatible with DB2 (for TSM, HPSS, possibly other IBM apps)
jonathan.buzzard at strath.ac.uk
Sat Jul 31 23:47:10 BST 2021
On 30/07/2021 15:11, Jaime Pinto wrote:
> Hey Jonathan
> 3.10.0-1160.31.1 seems to be one of the last kernel releases prior to
> the CVE-2021-33909 exploit.
It is the release immediately prior to 3.10.0-1160.31.2.
To be fair I didn't consider it important to install 3.10.0-1160.31.2 on
our TSM server because the only people able to log onto it can all get
root anyway. So a local privilege escalation bug is like meh to begin
with and the replacement hardware for migrating to a fully patched RHEL
8.4 server was ready and waiting to go in the rack.
Now on the nodes in the HPC cluster any privilege escalation bug is an
issue as the unwashed masses have access to that.
> 3.10.0-1160.36.2.el7.x86_64 seems to be the first on the Redhat repo
> that fixes the exploit, but it's not working for our combination of
> TSM/DB2 versions:
> * TSM 8.1.8
> * DB2 v126.96.36.199
Well yikes you need to upgrade your TSM server ASAP as 8.1.8 has a
number of security holes. My TSM is my get of jail card should we be hit
by ransomware, which seems to the most likely "disaster" these days, so
patch, patch, patch is my moto.
Besides I am not allowed to run a version that is riddled with security
issues. Being public sector and funded by the Scottish government we
have to be CyberEssentials compliant :-) Basically you are supposed to
apply security patches within 10 days of availability.
> I'll just keep one eye on the repo for the next kernel available and try
> it again. Until then I'll stick with 3.10.0-1062.18.1
Which has a whole slew of bugs too. See above I don't get to run such
old versions :-)
> On the HPSS side 3.10.0-1160.36.2.el7.x86_64 worked fine with DB2 11.5,
> but not with 10.5
Only DB2 usage I have is on our TSM server.
Jonathan A. Buzzard Tel: +44141-5483420
HPC System Administrator, ARCHIE-WeSt.
University of Strathclyde, John Anderson Building, Glasgow. G4 0NG
More information about the gpfsug-discuss