[gpfsug-discuss] GPFS vulnerability with possible root exploit on versions prior to 5.0.4.3 (and 4.2.3.21)

Stephan Graf st.graf at fz-juelich.de
Wed Apr 22 10:02:59 BST 2020 

Hi

I took a lookat the "Readme and Release notes for release 5.0.4.3 IBM 
Spectrum Scale 5.0.4.3 
Spectrum_Scale_Data_Management-5.0.4.3-x86_64-Linux Readme"
But I did not find the entry which mentioned the "For IBM Spectrum Scale 
V5.0.0.0 through V5.0.4.1, reference APAR  IJ23438" APAR number which is 
mentioned on the "Security Bulletin: A vulnerability has been identified 
in IBM Spectrum Scale where an unprivileged user could execute commands 
as root ( CVE-2020-4273)" page.

shouldn't it be mentioned there?

Stephan


Am 22.04.2020 um 10:19 schrieb Jaime Pinto:
> In case you missed (the forum has been pretty quiet about this one), 
> CVE-2020-4273 had an update yesterday:
> 
> https://www.ibm.com/support/pages/node/6151701?myns=s033&mynp=OCSTXKQY&mync=E&cm_sp=s033-_-OCSTXKQY-_-E 
> 
> 
> If you can't do the upgrade now, at least apply the mitigation to the 
> client nodes generally exposed to unprivileged users:
> 
> Check the setuid bit:
> ls -l /usr/lpp/mmfs/bin | grep r-s | awk '{system("ls -l 
> /usr/lpp/mmfs/bin/"$9)}')
> 
> Apply the mitigation:
> ls -l /usr/lpp/mmfs/bin | grep r-s | awk '{system("chmod u-s 
> /usr/lpp/mmfs/bin/"$9)}'
> 
> Verification:
> ls -l /usr/lpp/mmfs/bin | grep r-s | awk '{system("ls -l 
> /usr/lpp/mmfs/bin/"$9)}')
> 
> All the best
> Jaime
> 
> .
> .
> .        ************************************
>            TELL US ABOUT YOUR SUCCESS STORIES
>           http://www.scinethpc.ca/testimonials
>           ************************************
> ---
> Jaime Pinto - Storage Analyst
> SciNet HPC Consortium - Compute/Calcul Canada
> www.scinet.utoronto.ca - www.computecanada.ca
> University of Toronto
> 661 University Ave. (MaRS), Suite 1140
> Toronto, ON, M5G1M1
> P: 416-978-2755
> C: 416-505-1477
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at spectrumscale.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5360 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20200422/d6d51880/attachment.bin>

More information about the gpfsug-discuss mailing list