Security Bulletin: Multiple vulnerabilities affect IBM Storage Scale Hadoop Connector

Summary

Multiple security vulnerabilities have been identified in the IBM Storage Scale (GPFS) Hadoop connector which could allow a local authenticated attacker to execute arbitrary commands on the system. Fixes for these vulnerabilities are available.

Vulnerability Details

CVEID:CVE-2021-28165
**DESCRIPTION:**Eclipse Jetty is vulnerable to a denial of service, caused by improper input valistion. By sending a specially-crafted TLS frame, a remote attacker could exploit this vulnerability to cause CPU resources to reach to 100% usage.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/199305 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2020-27216
**DESCRIPTION:**Eclipse Jetty could allow a local authenticated attacker to gain elevated privileges on the system, caused by a race condition in the creation of the temporary subdirectory. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/190474 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Remediation/Fixes

For IBM Storage Scale V5.1.0.0 through V5.1.8.2, apply V5.1.9.0 or later available from FixCentral at:

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Storage+Scale&release=5.1.9&platform=All&function=all

If you cannot apply the latest level of service, contact IBM Service.

Workarounds and Mitigations

None