IBM AIX Parallel Systems Support Program (PSSP) contains vulnerability in File Collections subsystem allowing arbitrary access to sensitive configuration files

2002-04-01T00:00:00
ID VU:640827
Type cert
Reporter CERT
Modified 2004-02-23T00:00:00

Description

Overview

IBM AIX Parallel Systems Support Programs (PSSP) contains a vulnerability allowing unauthorized access to files in valid file collections.

Description

IBM PSSP software is used to provide a central point of management control for a cluster of RS/6000 SP nodes and IBM pSeries and IBM RS/6000 servers running AIX.


Impact

Intruders may be able to gain access to files that are included in a valid file collection on the SP system's control workstation, including AIX system configuration and security database files.


Solution

Obtain and apply the fix on all SP system control workstations and nodes as soon as possible. See the instructions below for obtaining the appropriate PTF(s) containing the fix for each release of PSSP.

Follow the instructions in the appropriate README file to enable secure file collections.

PSSP 3.1.1 ssp.sysman.README.IY20699
PSSP 3.2 ssp.sysman.README.IY28063
PSSP 3.4 ssp.sysman.README.IY28065

IMPORTANT: Simply applying the PTF is not sufficient to correct the File Collections security vulnerability. The process to enable Secure File Collections, as documented in the README file, must be completed in order to correct the vulnerability.

Solution:

There are APARs created for all supported PSSP releases. The PTFs addressing those APARs are now available in the indicated PTF Set.

PSSP Rls APAR PTF # PTF Set #
PSSP 3.1.1: IY20699 U482380 24 PSSP 3.2: IY28063 U482385 18 PSSP 3.4: IY28065 U482395 6

The fix can be obtained by ordering the specific PTF for your release from 1-800-CALLAIX or your country support center. The fix can also be downloaded by selecting the appropriate APAR number from IBM@server Support web page
at URL:

<http://techsupport.services.ibm.com/server/fixes>


A workaround to the vulnerability is to disable the File Collections subsystem, until such time that the fix can be applied or the software upgraded to a supported release.

To disable File Collections, run the following command under the root userid on the SP system's control workstation:

spsitenv filecoll_config=false

To verify that File Collections has been disabled, run the following command:

splstdata -e | grep filecoll_config


Systems Affected

Vendor| Status| Date Notified| Date Updated
---|---|---|---
IBM| | -| 28 Mar 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A

References

  • <http://techsupport.services.ibm.com/server/fixes>

Credit

This document was written by Shawn V. Hernan.

Other Information

  • CVE IDs: Unknown
  • Date Public: 01 Apr 2002
  • Date First Published: 01 Apr 2002
  • Date Last Updated: 23 Feb 2004
  • Severity Metric: 10.13
  • Document Revision: 4