Security Bulletin: The Elastic Storage Server and the GPFS Storage Server are affected by a vulnerability in IBM Spectrum Scale (CVE-2016-0392)

Summary

There is a vulnerability in IBM Spectrum Scale packaged with IBM Spectrum Scale RAID for the Elastic Storage Server and the GPFS Storage Server.

Vulnerability Details

CVEID: CVE-2016-0392**
DESCRIPTION:** IBM General Parallel File System could allow a local attacker to inject commands into setuid file parameters and execute commands as root.
CVSS Base Score: 8.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112611 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

The Elastic Storage Server versions 4.0, 3.5, 3.0 and 2.5

The GPFS Storage Server versions 2.0

Remediation/Fixes

For the Elastic Storage Server 4.0.0 thru 4.0.2, upgrade to 4.0.3, or later, available at
http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%2Bdefined%2Bstorage&product=ibm/StorageSoftware/IBM+Spectrum+Scale+RAID&release=4.2.0&platform=All&function=all

For the Elastic Storage Server 3.5.0 thru 3.5.4, upgrade to 3.5.5 available at
http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%2Bdefined%2Bstorage&product=ibm/StorageSoftware/IBM+Spectrum+Scale+RAID&release=4.1.1&platform=All&function=all

For the Elastic Storage Server 3.0.0 thru 3.0.5, upgrade to 3.5.5 available at
http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%2Bdefined%2Bstorage&product=ibm/StorageSoftware/IBM+Spectrum+Scale+RAID&release=4.1.1&platform=All&function=all

For the Elastic Storage Server 2.5.0 thru 2.5.5 and the GPFS Storage Server 2.0.0 thru 2.0.7, contact IBM Service referencing APAR IV84206 . See <http://www.ibm.com/planetwide/&gt;

In all cases, see the release note for details on installation.

Workarounds and Mitigations

None