Security Bulletin: Vulnerabilities in GSKit affect IBM Spectrum Scale used by DB2® pureScale™ (CVE-2018-1431, CVE-2018-1447, CVE-2017-3732, CVE-2016-0705)

Summary

DB2 LUW is affected by a vulnerability in IBM® Spectrum Scale Version V4.2 and V4.1 that is used by DB2® pureScale™ Feature on AIX and Linux. IBM Spectrum Scale is previously known as General Parallel File System (GPFS).

Vulnerability Details

CVEID: CVE-2018-1431 DESCRIPTION: A vulnerability in GSKit affects IBM Spectrum Scale that could allow a local attacker to obtain control of the Spectrum Scale daemon and to access and modify files in the Spectrum Scale file system, and possibly to obtain administrator privileges on the node.
CVSS Base Score: 7.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139240&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-1447 DESCRIPTION: The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action.
CVSS Base Score: 5.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139972&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2017-3732 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121313&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2016-0705 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service.
CVSS Base Score: 3.7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111140&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

All fix pack levels of IBM Db2 V10.5, and V11.1 editions on all Unix-type platforms are affected. Windows platforms are not affected.

Remediation/Fixes

Customers running any vulnerable fixpack level of an affected Program, V10.5 and V11.1, can contact IBM technical support to obtain the Spectrum Scale security package update. Before installing the Spectrum Scale security package, the DB2 level might need to be upgraded to the level that includes the supported Spectrum Scale level. Do not attempt to upgrade Spectrum Scale by any other means. The table below lists the DB2 releases and the Spectrum Scale security package to request from IBM technical support.

U881200.gpfs.gskit.bff

10.5 Linux 64-bit, x86-64 |

gpfs.gskit-8.0.50-86.x86_64.rpm

10.5 Linux 64-bit, POWER™ little endian |

gpfs.gskit-8.0.50-86.ppc64le.rpm

11.1 AIX 64-bit |

U881200.gpfs.gskit.bff

11.1 Linux 64-bit, x86-64 |

gpfs.gskit-8.0.50-86.x86_64.rpm

11.1 Linux 64-bit, POWER™ little endian |

gpfs.gskit-8.0.50-86.ppc64le.rpm

The Spectrum Scale security package upgrade instructions are available here: <https://www-01.ibm.com/support/docview.wss?uid=ibm10731637&gt;

Workarounds and Mitigations

None.