[gpfsug-discuss] kernel 3.10.0-1160.36.2.el7.x86_64 (CVE-2021-33909) not compatible with DB2 (for TSM, HPSS, possibly other IBM apps)

Jonathan Buzzard jonathan.buzzard at strath.ac.uk
Sat Jul 31 23:47:10 BST 2021 

On 30/07/2021 15:11, Jaime Pinto wrote:
> Hey Jonathan
> 
> 3.10.0-1160.31.1 seems to be one of the last kernel releases prior to 
> the CVE-2021-33909 exploit.

It is the release immediately prior to 3.10.0-1160.31.2.

To be fair I didn't consider it important to install 3.10.0-1160.31.2 on 
our TSM server because the only people able to log onto it can all get 
root anyway. So a local privilege escalation bug is like meh to begin 
with and the replacement hardware for migrating to a fully patched RHEL 
8.4 server was ready and waiting to go in the rack.

Now on the nodes in the HPC cluster any privilege escalation bug is an 
issue as the unwashed masses have access to that.

> 3.10.0-1160.36.2.el7.x86_64 seems to be the first on the Redhat repo 
> that fixes the exploit, but it's not working for our combination of 
> TSM/DB2 versions:
> * TSM 8.1.8
> * DB2 v11.1.4.4

Well yikes you need to upgrade your TSM server ASAP as 8.1.8 has a 
number of security holes. My TSM is my get of jail card should we be hit 
by ransomware, which seems to the most likely "disaster" these days, so 
patch, patch, patch is my moto.

Besides I am not allowed to run a version that is riddled with security 
issues. Being public sector and funded by the Scottish government we 
have to be CyberEssentials compliant :-) Basically you are supposed to 
apply security patches within 10 days of availability.

> I'll just keep one eye on the repo for the next kernel available and try 
> it again. Until then I'll stick with 3.10.0-1062.18.1

Which has a whole slew of bugs too. See above I don't get to run such 
old versions :-)

> On the HPSS side 3.10.0-1160.36.2.el7.x86_64 worked fine with DB2 11.5, 
> but not with 10.5
> 

Only DB2 usage I have is on our TSM server.


JAB.

-- 
Jonathan A. Buzzard                         Tel: +44141-5483420
HPC System Administrator, ARCHIE-WeSt.
University of Strathclyde, John Anderson Building, Glasgow. G4 0NG

More information about the gpfsug-discuss mailing list