There is a vulnerability in IBM Spectrum Scale packaged with IBM Spectrum Scale RAID for the Elastic Storage Server and the GPFS Storage Server.
CVEID: CVE-2015-7488**
DESCRIPTION:** IBM Spectrum Scale could allow a local, unprivileged user or a user with network access to the IBM Spectrum Scale cluster_, _ access to the_ _LDAP directory bind user password when File protocol is deployed with LDAP / LDAP with Kerberos based authentication.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108784 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)
The Elastic Storage Server versions 3.5, 3.0 and 2.5.
The GPFS Storage Server versions 2.5
When using the protocol access methods integrated with IBM Spectrum Scale V4.1.1, although those services may not run on Storage Server hardware, fixes for CVE-2015-7488 need to be applied to all nodes in the cluster regardless of whether they are configured as protocol nodes or not. Please reference the associated IBM Spectrum Scale security bulletin at <http://www-01.ibm.com/support/docview.wss?uid=ssg1S1005580>
For the Elastic Storage Server 3.5,0 and 3.5.1, obtain ESS 3.5.2 to upgrade your system
For the Elastic Storage Server V3.0 and V2.5, you can remediate the vulnerabilities by migrating to the Elastic Storage Server 3.5.2 software which contains IBM Spectrum Scale V4.1.1.4 and IBM Spectrum Scale RAID V4.1.1 available at Fix Central
In all cases, see the release note for details on installation.
For the GPFS Storage Server 2.5, contact Lenovo at http://shop.lenovo.com/us/en/systems/servers/high-density/gpfs-storage/
Note: The GPFS Storage Server 2.0 is not supported at the IBM Spectrum Scale V4.1.1 level. As such, nodes at that level using the integrated protocol access methods are not supported in a cluster with a GSS 2.0.
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm spectrum scale raid | eq | 4.1 |