IBM AIX Parallel Systems Support Programs (PSSP) contains a vulnerability allowing unauthorized access to files in valid file collections.
IBM PSSP software is used to provide a central point of management control for a cluster of RS/6000 SP nodes and IBM pSeries and IBM RS/6000 servers running AIX.
Intruders may be able to gain access to files that are included in a valid file collection on the SP system's control workstation, including AIX system configuration and security database files.
Obtain and apply the fix on all SP system control workstations and nodes as soon as possible. See the instructions below for obtaining the appropriate PTF(s) containing the fix for each release of PSSP.
Follow the instructions in the appropriate README file to enable secure file collections.
PSSP 3.1.1 ssp.sysman.README.IY20699
PSSP 3.2 ssp.sysman.README.IY28063
PSSP 3.4 ssp.sysman.README.IY28065
IMPORTANT: Simply applying the PTF is not sufficient to correct the File Collections security vulnerability. The process to enable Secure File Collections, as documented in the README file, must be completed in order to correct the vulnerability.
There are APARs created for all supported PSSP releases. The PTFs addressing those APARs are now available in the indicated PTF Set.
PSSP Rls APAR PTF # PTF Set #
PSSP 3.1.1: IY20699 U482380 24
PSSP 3.2: IY28063 U482385 18
PSSP 3.4: IY28065 U482395 6
The fix can be obtained by ordering the specific PTF for your release from 1-800-CALLAIX or your country support center. The fix can also be downloaded by selecting the appropriate APAR number from IBM@server Support web page
A workaround to the vulnerability is to disable the File Collections subsystem, until such time that the fix can be applied or the software upgraded to a supported release.
To disable File Collections, run the following command under the root userid on the SP system's control workstation:
To verify that File Collections has been disabled, run the following command:
splstdata -e | grep filecoll_config
Vendor| Status| Date Notified| Date Updated
IBM| | -| 28 Mar 2002
If you are a vendor and your product is affected, let us know.
Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A
This document was written by Shawn V. Hernan.